Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware, quoting Mozilla Developer Network reference.

Basically it says to load content only from explict sources sent by the webserver - Nginx in my case. So I added the following to my nginx.conf:

	add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' http://fonts.googleapis.com http://maxcdn.bootstrapcdn.com ; font-src 'self' data: http://fonts.gstatic.com http://maxcdn.bootstrapcdn.com;"  always;