This page has require-trusted-types-for 'script' required in
the CSP rules.
The combination of that attribute being in the CSP rules, along with the
trusted-types
attribute also being present and NOT specifying the name of the
dynamically-loaded content policy, means that the browser will fail to
load the dynamic code in all three cases.)
Case 1: Load dynamic code, no policy defined in the webpack config
This button will fail to work, failing with the following error:
Failed to set the 'src' property on 'HTMLScriptElement': This document
requires 'TrustedScriptURL' assignment.
Case 2: Load dynamic code, with only the policy defined in config (and
the default behavior of stopping on policy-creation failure)
This second button also fails to work, this time because trusted-types
is now defined in the Webpack config for the dynamic code, and yet isn't
in the
trusted-types allow-list of the CSP.
The failure is identical to what happened on the "report-only" page for
this same case:
Failed to execute 'createPolicy' on 'TrustedTypePolicyFactory': Policy
"DynamicWebpackCode" disallowed.
Case 3: Load dynamic code, with a webpack config that allows
continuation on policy-creation failure
Finally, this last button has the new
onPolicyCreationFailure: "continue"
option in the dynamic code's webpack config. However, because we are in
strict mode, it will still fail in the exact same way as Case 1 fails
(with the only difference being a few more errors and warnings on the
console).
Result:
Click one of the buttons above to see the result (and compare it with what
happens in the "report-only-csp" case).