Since I added the ability you mention to put html head in separate file, I get the following problem in the browser:
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-kLOQNAVOaBgADiUv3KS/St2g6k1exicli/nlGA4Ku2Y='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Since I added the ability you mention to put html head in separate file, I get the following problem in the browser:
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-kLOQNAVOaBgADiUv3KS/St2g6k1exicli/nlGA4Ku2Y='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.