This page sets the following headers:
Content-Security-Policy: script-src 'nonce-123'; object-src 'none'; report-uri /foo