chromium/src/third_party/blink/web_tests/http/tests/security/contentSecurityPolicy/multiple-policies-with-nonce.php - manifest_repos/chromium_src - Git at Google

 <?php
 # Note that the frame-ancestors directive is part of a *second* header and
 # policy, not the first policy with the script-src.
 header("Content-Security-Policy: script-src 'nonce-abcd1234', frame-ancestors 'self'");
 header("Content-Security-Policy-Report-Only: script-src 'self'");
 ?>
 <!DOCTYPE html>
 <script src="/resources/testharness.js" nonce="abcd1234"></script>
 <script src="/resources/testharnessreport.js" nonce="abcd1234"></script>
 <script>
     assert_unreached("This script block has no nonce, and should not execute.");
 </script>
 <script nonce="abcd1234">
     test(_ => {
       assert_true(true);
     }, "This script block has a matching nonce, and should execute.");
 </script>
	<?php
	# Note that the frame-ancestors directive is part of a second header and
	# policy, not the first policy with the script-src.
	header("Content-Security-Policy: script-src 'nonce-abcd1234', frame-ancestors 'self'");
	header("Content-Security-Policy-Report-Only: script-src 'self'");
	?>
	<!DOCTYPE html>
	<script src="/resources/testharness.js" nonce="abcd1234"></script>
	<script src="/resources/testharnessreport.js" nonce="abcd1234"></script>
	<script>
	assert_unreached("This script block has no nonce, and should not execute.");
	</script>
	<script nonce="abcd1234">
	test(_ => {
	assert_true(true);
	}, "This script block has a matching nonce, and should execute.");
	</script>