This is a test case to see whether deferred inline scripts as proposed in
wordpress-develop#4391
(for
Core-39941) are compatible with
Content-Security-Policy
(CSP). Note that the scripts intended to be executed include a
nonce
of r4nd0m
. The default policy incorporates
the 'strict-dynamic'
souce expression from Google's
recommended
Strict CSP. Unlike the previous version of this CSP test was incompaible
with Strict CSP, this version is fully compatible with Strict CSP (including the exclusion of 'unsafe-eval'
). No longer are malicious
inline scripts with an invalid nonce
able to bypass CSP since we now check for it explicitly (see 81abb8b).
Additionally, the 'unsafe-hashes'
source expression is no longer needed since
the onload
event handler attributes have been removed in favor of a single
capturing load
event listener (see 10up#62).