third_party/blink/web_tests/external/wpt/preload/preload-strict-dynamic.html - chromium/src - Git at Google

 <!DOCTYPE html>
 <head>
 <script src="/resources/testharness.js" nonce="123"></script>
 <script src="/resources/testharnessreport.js" nonce="123"></script>
 <title>CSP strict-dynamic + preload</title>
 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-123' 'strict-dynamic'" />
 </head>
 <body>
 <link id="static-no-nonce" href="resources/dummy.js?static-no-nonce" rel=preload as=script>
 <link id="static-nonce" href="resources/dummy.js?static-nonce" rel=preload as=script nonce="123">
 <script nonce="123">
   let counter = 0;
   let cspViolation = false;
   let isLoaded = (url) => {
     let entries = performance.getEntriesByType("resource");
     for (let entry of entries) {
       if (entry.name.indexOf(url) != -1 ) {
         return true;
       }
     }
     return false;
   }
   window.addEventListener("securitypolicyviolation", (e) => {
     counter++;
     if (e.violatedDirective == "script-src-elem" && e.blockedURI.includes("static-no-nonce")) {
       cspViolation = true;
     }
   });
   let link = document.createElement("link");
   link.rel = "preload";
   link.href = "resources/dummy.js?dynamic-nonce";
   link.as = "script";
   link.onload = () => { ++counter; };
   document.head.appendChild(link);
   link = document.getElementById("static-no-nonce");
   link.addEventListener("error", () => { ++counter; });
   link = document.getElementById("static-nonce");
   link.addEventListener("load", () => { ++counter; });
   let t = async_test('preload from nonced script should work with strict-dynamic. preloaded script from markup should not.');
   let timerCounter = 0;
   setInterval(t.step_func(() => {
     if (counter >= 4 || timerCounter > 5) {
       assert_true(isLoaded("dynamic-nonce"), "dynamic inserted preload script should have been loaded");
       assert_true(isLoaded("static-nonce"), "preload tag with a nonce should have been loaded");
       assert_false(isLoaded("static-no-nonce"), "preload tag without a nonce should not have been loaded");
       assert_true(cspViolation, "CSP violation should have fired");
       t.done();
     }
     ++timerCounter;
   }), 100);

 </script>
 </body>
 </html>
	<!DOCTYPE html>
	<head>
	<script src="/resources/testharness.js" nonce="123"></script>
	<script src="/resources/testharnessreport.js" nonce="123"></script>
	<title>CSP strict-dynamic + preload</title>
	<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-123' 'strict-dynamic'" />
	</head>
	<body>
	<link id="static-no-nonce" href="resources/dummy.js?static-no-nonce" rel=preload as=script>
	<link id="static-nonce" href="resources/dummy.js?static-nonce" rel=preload as=script nonce="123">
	<script nonce="123">
	let counter = 0;
	let cspViolation = false;
	let isLoaded = (url) => {
	let entries = performance.getEntriesByType("resource");
	for (let entry of entries) {
	if (entry.name.indexOf(url) != -1 ) {
	return true;
	}
	}
	return false;
	}
	window.addEventListener("securitypolicyviolation", (e) => {
	counter++;
	if (e.violatedDirective == "script-src-elem" && e.blockedURI.includes("static-no-nonce")) {
	cspViolation = true;
	}
	});
	let link = document.createElement("link");
	link.rel = "preload";
	link.href = "resources/dummy.js?dynamic-nonce";
	link.as = "script";
	link.onload = () => { ++counter; };
	document.head.appendChild(link);
	link = document.getElementById("static-no-nonce");
	link.addEventListener("error", () => { ++counter; });
	link = document.getElementById("static-nonce");
	link.addEventListener("load", () => { ++counter; });
	let t = async_test('preload from nonced script should work with strict-dynamic. preloaded script from markup should not.');
	let timerCounter = 0;
	setInterval(t.step_func(() => {
	if (counter >= 4 \|\| timerCounter > 5) {
	assert_true(isLoaded("dynamic-nonce"), "dynamic inserted preload script should have been loaded");
	assert_true(isLoaded("static-nonce"), "preload tag with a nonce should have been loaded");
	assert_false(isLoaded("static-no-nonce"), "preload tag without a nonce should not have been loaded");
	assert_true(cspViolation, "CSP violation should have fired");
	t.done();
	}
	++timerCounter;
	}), 100);

	</script>
	</body>
	</html>