Rack::Protection::ContentSecurityPolicy has script-src and style-src defaults making it impossible leave them out of the header to have them fallback to default-src.