{{ $policy := "default-src 'self';" }} {{ if not hugo.IsServer }} {{ $policy = "upgrade-insecure-requests; block-all-mixed-content; default-src 'self';" }} {{ end }} {{ $scriptsrc := printf "%s https://unpkg.com" (delimit .Site.Params.csp.scriptsrc " ") }} {{ printf ` ` $policy (delimit .Site.Params.csp.childsrc " ") (delimit .Site.Params.csp.fontsrc " ") (delimit .Site.Params.csp.formaction " ") (delimit .Site.Params.csp.framesrc " ") (delimit .Site.Params.csp.imgsrc " ") (delimit .Site.Params.csp.objectsrc " ") (delimit .Site.Params.csp.stylesrc " ") $scriptsrc (delimit .Site.Params.csp.connectsrc " ") | safeHTML }}