Content Security Policy directives

I’m working on a project that allows login to Evernote then redirects back.

On the redirect back into the project, the browser shows: Cannot GET /auth/callback (that’s a react route).

And in the error log:

[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy. (callback, line 0)

I’ve tried 20 or so variations of express setHeader("Content-Security-Policy", ... with those directives, but haven’t had any luck yet.

Anyone have a tip or pattern to follow?