Content Security Policy directive: "script-src" issues

Well I figured it out, its because the onclick and onload are also not allowed inline.
So I had to switch to an eventlistener over in my script and no it works fine!

It would nice if the documentation on security actually covered this better!