- Refine security policies: when necessary, define both a nonce and a 'unsafe-inline' to ensure compatibility on some less adavanced browsers - use same "secure" setting for ad_session_id, otherwise, just the last one is honored - fix linefeed and semicolon in js for focus handling