← back to examples

script-src-elem / script-src-attr

script-src covers all script execution — including inline event handlers. The onclick attribute has no nonce, so the browser blocks it. The only way to allow it under a plain script-src policy would be 'unsafe-inline', which defeats the nonce.

Response header
Content-Security-Policy: script-src 'self' 'nonce-L9zVHWVOtXAnnm3kjaCCpg=='
Inline event handler in page source
<button onclick="markScriptRan()">Click me</button>
Result — click the button
( ._.)

Check the browser console to see the CSP violation error.