Content Security Policy is only active for HTML responses but not for image/svg+xml