This page has require-trusted-types-for 'script' enabled via
CSP, but in Report Only mode.
Importantly, `trusted-types` itself is enabled in the CSP, and does NOT
have the name of the policy for the dynamically-loaded content (e.g.,
imagine it's an old/cached copy of the application, that isn't aware of
the new policy).
Case 1: Load dynamic code, no policy defined in the webpack config
This first button will work. There will be a warning outputted to the
console by the browser ([Report Only] This document requires 'TrustedScriptURL'
assignment.), but in other respects the code will run fine:
Case 2: Load dynamic code, with only the policy defined in config (and
the default behavior of stopping on policy-creation failure)
This second button FAILS to work, because trusted-types is now defined
in the Webpack config for the dynamic code, and yet isn't in the
trusted-types allow-list of the CSP.
Case 3: Load dynamic code, with a webpack config that allows
continuation on policy-creation failure
Finally, this last button has the new
onPolicyCreationFailure: "continue"
option in the dynamic code's webpack config, and so it will output a
couple of warnings to the console and then work just like the first
button:
Result:
Click one of the buttons above to see the result (and compare it with what
happens in the "strict-csp" case).