Welcome to the Strict CSP Worker-Nonce Demo

Please verify the following:

• Nonced Inline Script

  A nonced inline script that sets this box to green should run.

• Unnonced Inline Script

  In browsers that support nonces, this script should be blocked and the box should remain green. In older browsers, the 'unsafe-inline' fallback is observed, and the inline script will turn this box red.

• Nonced URL-Loaded Script

  The /good-script.js file should load and run. After 3 seconds, this box should turn green. This script also loads another script that displays an alert.

• Unnonced URL-Loaded Script

  In browsers that support strict-dynamic, the /bad-script.js file should not load and this box should remain green. For other browsers (mainline Safari), the fallback hostlist is used, and the script will run, setting this box to red.