A separate Report-Only policy does not influence `strict-dynamic` in the script-src directive.

Summary

Harness status: OK

Found 1 tests

1 Pass

Details

Result

Test Name

Message

Pass

Script injected via `appendChild` is allowed with `strict-dynamic` + Report-Only `script-src 'none'` policy.

Asserts run

Pass

assert_equals("script-src-elem", "script-src-elem")
    at Test.<anonymous> ( /content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html:30:17)

Pass

assert_equals("script-src 'none'", "script-src 'none'")
    at Test.<anonymous> ( /content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html:32:17)