The image above has been explicitly embedded over the HTTP scheme but the "default-src" requires HTTPS.