For comparison, see the same page but without CSP index.html

This page does NOT allow inline JavaScript using CSP

Attack example

Good feature - allows the user to enter text markup and then add it to the DOM. The text area is read-only for this demo. Click the button below to link this text into the page. Notice the markup is respected.

Good feature used by an evil attacker