A complete policy

default-src 'none';
script-src my.cdn.com;
img-src 'self' data:;
child-src 'self' data: ms-appx-web:;
block-all-mixed-content;
report-uri https://my-reports.com/submit;

An policy with unsafe source expressions

script-src 'self' 'unsafe-eval' 'unsafe-inline';
style-src 'unsafe-inline' 'unsafe-hashed-attributes' 'self';