CSP: unsafe-inline

CDN Flags (query params)
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'none'
Content-Security-Policy-Report-Only: (none)
Nonce: (none)

The table below updates only when each script actually executes.

Inline script without nonce should be blocked in strict policies.

Script Type Expected Executed
Inline script with nonce Yes No
Inline script without nonce Yes No
External same-origin script Yes No