CSP TEST..! :)

Sorry friends for the ugliness of this site... This is just a playground to test csp behavior.

Test 1: No CSP meta tag

Test 2: VERY OPEN CSP

Test 3: CSP allow script from samesite and external script

Test 4: CSP allow script from samesite only

Test 5: CSP deny all script!

Test 6: CSP allow specific inline script with nonce!

Test 7: CSP deny everything!

Test 8: CSP deny everything - but what if we mess with iframe?

Test 9: CSP deny everything - but what if we mess with <object>?

Note: This page ONLY provide example using script-src ... In most case, to mitigate XSS, it should be enough. Becareful of using something like default-src. I have seen this breaking things in prod ;)
Below is the skeleton page for this test with csp meta tag being modified with each test: