script-src-elem

[jimixy]

Refused to load the script 'https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.11/lodash.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' *.xitu.io *.juejin.im *.baidu.com *.google-analytics.com *.meiqia.com dn-growing.qbox.me *.growingio.com *.guard.qcloud.com *.gtimg.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

[Dante-dan]

emmmm, Readme mention this
Q: $i fail to import resources
On some websites like GitHub, $i will fail to import resources. Console warning may be like follows:

Refused to load the stylesheet 'https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css' because it violates the following Content Security Policy directive: "style-src 'unsafe-inline' assets-cdn.github.com".
It is because of strict Content Security Policy of these websites. For more information, see Content Security Policy (CSP) wiki

[pd4d10]

Yeah, it's due to the CSP of the website itself.

#3 (comment) mentioned a solution which use "Disable Content-Security-Policy" extension to disable it, but I think it may cause security issues.