default-src
Without CSP, injected scripts run freely. A default-src 'self' policy blocks them — click on search to see the difference.
Response header
Content-Security-Policy: default-src 'self'
Search query
Result
( ._.)