Inline script attached by DOM manipulation should not run without an 'unsafe-inline' script-src policy, even with default-src *