CSP "script-src" includes "unsafe-inline" in https://gratipay.com

#SUMMARY: Related Report: #225833 Gratipay is using unsafe-inline in script-src csp headers which allows the use of inline resources, such as inline <script> elements, blocked: URLs, inline event handlers, and inline <style> elements. Proof Of Concept #By Using cURL: curl -I https://gratipay.com The results See my attached photo. Above CSP headers containing "script-src: header which have "unsafe-src" attribute in it. This does not result in an immediate threat, but should be excluded, if possible, as a best practice. For further information, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src Regards,