third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/register-bypassing-scheme-script.https.html - chromium/src - Git at Google

 <!DOCTYPE html>
 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'">
 <script src="/resources/testharness.js" nonce="abc"></script>
 <script src="/resources/testharnessreport.js" nonce="abc"></script>

 <!-- Parser-inserted script -->
 <script nonce="abc">
   internals.registerURLSchemeAsBypassingContentSecurityPolicy('http');
 </script>
 <script id="test1" src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script-set-attribute.js?t1"></script>
 <script nonce="abc">
   test(t => {
     assert_equals(document.querySelector("#test1").getAttribute("loaded"), null);
   }, "Parser-inserted scripts do not bypass.");
 </script>

 <!-- Non-parser-inserted script -->
 <script nonce="abc">
   internals.registerURLSchemeAsBypassingContentSecurityPolicy('http');
   async_test(t => {
     var s = document.createElement("script");
     s.id = "test2";
     s.src = "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script-set-attribute.js?t2";
     s.onerror = t.unreached_func("The script should execute.");
     s.onload = t.step_func_done(_ => {
       assert_equals(s.getAttribute("loaded"), "true");
     });
     document.head.appendChild(s);
   }, "Parser-inserted scripts do not bypass.");
 </script>

 <!-- Cleanup -->
 <script nonce="abc">
   add_completion_callback(_ => {
     internals.removeURLSchemeRegisteredAsBypassingContentSecurityPolicy('http');
   });
 </script>
	<!DOCTYPE html>
	<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'">
	<script src="/resources/testharness.js" nonce="abc"></script>
	<script src="/resources/testharnessreport.js" nonce="abc"></script>

	<!-- Parser-inserted script -->
	<script nonce="abc">
	internals.registerURLSchemeAsBypassingContentSecurityPolicy('http');
	</script>
	<script id="test1" src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script-set-attribute.js?t1"></script>
	<script nonce="abc">
	test(t => {
	assert_equals(document.querySelector("#test1").getAttribute("loaded"), null);
	}, "Parser-inserted scripts do not bypass.");
	</script>

	<!-- Non-parser-inserted script -->
	<script nonce="abc">
	internals.registerURLSchemeAsBypassingContentSecurityPolicy('http');
	async_test(t => {
	var s = document.createElement("script");
	s.id = "test2";
	s.src = "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script-set-attribute.js?t2";
	s.onerror = t.unreached_func("The script should execute.");
	s.onload = t.step_func_done(_ => {
	assert_equals(s.getAttribute("loaded"), "true");
	});
	document.head.appendChild(s);
	}, "Parser-inserted scripts do not bypass.");
	</script>

	<!-- Cleanup -->
	<script nonce="abc">
	add_completion_callback(_ => {
	internals.removeURLSchemeRegisteredAsBypassingContentSecurityPolicy('http');
	});
	</script>