script-src strict-dynamic
The loader has a nonce and runs. But the <script> it creates dynamically has no nonce — the browser blocks it. Without 'strict-dynamic', trust doesn't pass from a trusted script to the scripts it injects.
Response header
Content-Security-Policy: script-src 'nonce-MErTzTQrZDMKzA/p5z8PEA=='Loader script in page source
<script nonce="MErTzTQrZDMKzA/p5z8PEA==">
var s = document.createElement('script');
s.src = '/javascripts/sdk.js';
document.head.appendChild(s);
</script>
Loader script
( ._.)
Injected script (/javascripts/sdk.js)
( ._.)
Check the browser console to see the CSP violation error.