read.php:1 Refused to run the JavaScript URL because it violates the following Content Security Policy directive: “script-src ‘self’”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-…’), or a nonce (‘nonce-…’) is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the ‘unsafe-hashes’ keyword is present.

Solution:

Add unsafe-inline in the header

header("Content-Security-Policy: script-src 'self' 'unsafe-inline';);