script-src nonce
CSP is active on both pages. The script is only allowed when it carries a nonce attribute that matches the value in the response header — a random token generated fresh on every request.
Response header (same on both pages)
Content-Security-Policy: script-src 'self' 'nonce-ZjpbJPnaXHp3002C0WWAog=='Inline script in page source
<script nonce="ZjpbJPnaXHp3002C0WWAog==">markScriptRan();</script>
Result
( ._.)