If visible, local external css not loaded
Try to get the RAN column to match the GOAL column
MDN
MDN
MDN
MDN
MDN
MDN


label el code ran goal =
? Eval from external
Play with script-src to block or allow

Original before eval-2

 
<p id="eval-2">Original before eval-2</p>
js: generated.js 
new Function(`document.getElementById('eval-2').textContent='[!] Changed from external using new Function()'`)();
? Style from stylesheet
Play with style-src to block or allow

Secrets?

 
<p id='style-self-external-2'>Secrets?</p>
<input type='PassWord' name='password' value='love4ever' />
? Remote stylesheet & fonts
Play with style-src font-src to block or allow

Should be fancy font if @import works in css for google fonts 

<p class="google-font-too">
 Should be fancy font if @import works in css for google fonts
</p>
? Youtube embed (origin)
Play with child-src object-src to block or allow 
<iframe id='iframe-remote-youtube' width='400' height='225' src='https://www.youtube.com/embed/s4wrMMju-Xc?enablejsapi=1&debugjs=1&debugcss=1' 
frameborder='0' allow='accelerometer;autoplay;encrypted-media;gyroscope;picture-in-picture' allowfullscreen></iframe>
? Vimeo embed
Play with child-src object-src to block or allow 
<iframe src='https://player.vimeo.com/video/1084537' width='400' height='225' frameborder='0' webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe>
? Local iframe with xss
Play with child-src object-src to block or allow

Will change if xss triggers

 
<iframe border='0' src='xss.php' width='400' height='225'></iframe>
<p id='iframe-local'>Will change if xss triggers</p>
? Local AJAX call
Play with connect-src to block or allow

Will change once AJAX is done

 
<p id='ajax-local'>Will change once AJAX is done</p>
js: generated.js 
fetch('ajax.php')
    .then(function(response) {
        return response.json();
    })
    .then(function(d) {
        var el = document.querySelector('#ajax-local');
        el.textContent = d.msg;
    })
    .catch(function(err) {
        var el = document.querySelector('#ajax-local');
        if (!el) {return;}
        el.textContent = err;
    });
? Remote AJAX call to stripe
Play with child-src script-src to block or allow 
<script src="https://checkout.stripe.com/checkout.js"></script>
<button id="stripe-button">Stripe</button>
js: generated.js 
var handler = StripeCheckout.configure({
    key: 'pk_KBCS2K6UgQc8K9VZCtNMOK4AEl5aU'
    // Ignore me
});
var btn = document.getElementById('stripe-button');
btn.addEventListener('click', function(e) {
    var x = handler.open({
      name: 'Demo Site',
      description: '2 widgets',
      amount: 10,
      opened: function() { btn.classList.add('opened'); },
    });
    e.preventDefault();
});

window.addEventListener('popstate', function() {
    handler.close();
});

btn.click();
setTimeout(function() {
  var el = document.querySelector('[name=stripe_checkout_app]');
  if (!el) {return;}
  el.style.display='none';
}, 5000);
? Local embed
Play with plugin-types object-src to block or allow 
<embed src="static/smashing-the-stack.pdf" type="application/pdf" width="400" height="225">
</embed>
? Local embed svg
Play with plugin-types object-src to block or allow 
<embed src="static/jquery.svg" type="image/svg+xml" width="400" height="225">
</embed>
? A local webworker
Play with child-src worker-src to block or allow

Waiting for worker ...

 
<p id='worker-1'>Waiting for worker ...</p>
(function(){
  if (!window.Worker) { return;}
  const worker = new Worker('/static/worker.js');
  worker.onerror = function(e) {};
  worker.onmessage = function(e) {
    var el = document.getElementById('worker-1');
    el.textContent = 'Result from worker - ' + e.data;
  };
  setTimeout(() => worker.postMessage([2, 2]), 1000);
})();
violator directive line col sample