Make sample Content-Security-Policy more restrictive.

Web.config

@@ -19,8 +19,8 @@
       <customHeaders>
         <!-- Clear other custom headers -->
         <clear/>
-        <!-- Limit resources to the same origin (allowing inline styles and script evaluation) -->
-        <add name="Content-Security-Policy" value="default-src 'self' ; referrer no-referrer"/>
+        <!-- Limit resources to the same origin, block referrer -->
+        <add name="Content-Security-Policy" value="default-src 'none' ; script-src 'self' ; connect-src 'self' ; img-src 'self' ; style-src 'self' ; referrer no-referrer"/>
       </customHeaders>
     </httpProtocol>
   </system.webServer>