← back to examples

script-src strict-dynamic

The loader has a nonce and runs. But the <script> it creates dynamically has no nonce — the browser blocks it. Without 'strict-dynamic', trust doesn't pass from a trusted script to the scripts it injects.

Response header
Content-Security-Policy: script-src 'nonce-MErTzTQrZDMKzA/p5z8PEA=='
Loader script in page source
<script nonce="MErTzTQrZDMKzA/p5z8PEA==">
  var s = document.createElement('script');
  s.src = '/javascripts/sdk.js';
  document.head.appendChild(s);
</script>
Loader script
( ._.)
Injected script (/javascripts/sdk.js)
( ._.)

Check the browser console to see the CSP violation error.