← back to examples

script-src strict-dynamic

The loader has a nonce so the browser trusts it. 'strict-dynamic' extends that trust to any script the loader injects — even though the injected script has no nonce of its own.

Response header
Content-Security-Policy: script-src 'nonce-O3mESNMHfG8VPUllZk2yPg==' 'strict-dynamic'
Loader script in page source
<script nonce="O3mESNMHfG8VPUllZk2yPg==">
  var s = document.createElement('script');
  s.src = '/javascripts/sdk.js';
  document.head.appendChild(s);
</script>
Loader script
( ._.)
Injected script (/javascripts/sdk.js)
( ._.)