CSP: Report-Only

CDN Flags (query params)

Content-Security-Policy: (none)

Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'none'; report-uri /experiments/csp/reports

Nonce: (none)

The table below updates only when each script actually executes.

Inline script without nonce should be blocked in strict policies.

Policy violations should be reported by browsers that support report-only while scripts still execute.

Script Type	Expected	Executed
Inline script with nonce	Yes	No
Inline script without nonce	Yes	No
External same-origin script	Yes	No