Update Content-Security-Policy (CSP) to allow 'unsafe-inline' (JS + CSS)