Wrong http CSP(Content-Security-Policy) header?

[PeterDaveHello]

Just found that there's an error of the CSP header, and looks like the directive is missing, something like default-src should be added.

I can't find the place to send a PR for it, so an issue's here instead.

$ curl -sI https://dnscrypt.info/stamps/ | grep -i ^content-security-policy
content-security-policy: https: 'unsafe-inline'; reflected-xss block

https://csp-evaluator.withgoogle.com/