For testing on my local machine, I add the following to my nginx headers to allow everything through:
add_header 'Access-Control-Allow-Origin' '*';
add_header 'X-Frame-Options' '';
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'";