Content Security Policy. on shared hosting with two nodejs aps

added some policies to response including my domain, and ‘self’ . browser steel prevents loading

response headers
script-src ‘self’ ‘https://just-fit.by’;connect-src ‘self’ https:;img-src ‘self’ data: blob: https://market-assets.strapi.io;media-src ‘self’ data: blob:;default-src ‘self’;base-uri ‘self’;font-src ‘self’ https: data:;form-action ‘self’;frame-ancestors ‘self’;object-src ‘none’;script-src-attr ‘none’;style-src ‘self’ https: ‘unsafe-inline’