CSP: self-only scripts

CDN Flags (query params)
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'none'
Content-Security-Policy-Report-Only: (none)
Nonce: (none)

The table below updates only when each script actually executes.

Inline script without nonce should be blocked in strict policies.

Script Type Expected Executed
Inline script with nonce No No
Inline script without nonce No No
External same-origin script Yes No