diff --git a/README.HTTP-security-headers b/README.HTTP-security-headers
index 5334e6b..8554cad 100644
--- a/README.HTTP-security-headers
+++ b/README.HTTP-security-headers
@@ -138,15 +138,15 @@
    # - A more secure configuration, including Google Analytics, Google AJAX CDN
    # - and Emmbedding Google Fonts
    # -
-   #Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; worker-src 'self' ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
+   #Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
 
    # - Same as above but also allow YouTube Videos
    # -
-   #Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; worker-src 'self' www.youtube.com ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
+   #Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' www.youtube.com ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
 
    # - Same as above but also allow YouTube Videos
    # -
-   #Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' data: ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; worker-src 'self' www.youtube.com *.openstreetmap.org ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
+   #Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com ; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' data: ; connect-src 'self'; font-src 'self' data: https:; object-src 'self' ; media-src 'self' ; child-src 'self' ; worker-src 'self' www.youtube.com *.openstreetmap.org ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests"
 
    # - Referrer-Policy
 	# -