Review CSP security config

Seems like ScriptSrc is being ignored