Multiple CSP playground

This page has a strict CSP (via HTTP headers) enforced, and one more CSP in report-only mode. This loads a couple of images and scripts that try to overcome the CSP.


Image loaded from

This endpoint will be blocked by CSP, and image load will fail

A dummy web page loaded as an image. This is not expected to work

Image loaded from

This endpoint is allowed by CSP, and image will load

Picture showing a traffic light

Photo by Eugene Chystiakov on Unsplash

Button that'll trigger an API call

Switches between /button_click & The CSP setting of the page allows the first one, but blocks the second

CSP report