script-src nonce
CSP is active on both pages. The script is only allowed when it carries a nonce attribute that matches the value in the response header — a random token generated fresh on every request.
Response header (same on both pages)
Content-Security-Policy: script-src 'self' 'nonce-mWyFifFcjSch3IiUZ/dJkw=='Inline script in page source
<script ← no nonce attribute>markScriptRan();</script>
Result
( ._.)
Check the browser console to see the CSP violation error.