Multiple CSP playground

This page has a strict CSP (via HTTP headers) enforced, and one more CSP in report-only mode. This loads a couple of images and scripts that try to overcome the CSP.

Test

Image loaded from example.com

This endpoint will be blocked by CSP, and image load will fail

A dummy web page loaded as an image. This is not expected to work

Image loaded from images.unsplash.com

This endpoint is allowed by CSP, and image will load

Picture showing a traffic light

Photo by Eugene Chystiakov on Unsplash

Button that'll trigger an API call

Switches between /button_click & example.com/button_click. The CSP setting of the page allows the first one, but blocks the second

CSP report