HTTP Content-Security-Policy (CSP) script-src 는 JavaScript에 대한 검증된 출처를 지정합니다. 여기에는 요소에서 직접 호출한 URL뿐만 아니라, 인라인 스크립트 이벤트 핸들러(onclick) 및 스크립트를 실행할 수 있는 XSLT stylesheets 가 포함됩니다.
The 'strict-dynamic' source expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any whitelist or source expressions such as 'self' or 'unsafe-inline' will be ignored. For example, a policy such as script-src 'strict-dynamic' 'nonce-R4nd0m' https://whitelisted.com/ would allow loading of a root script with and propogate that trust to any script loaded by loader.js, but disallow loading scripts from https://whitelisted.com/ unless accompanied by a nonce or loaded from a trusted script.
will act like'unsafe-inline' https: in browsers that support CSP1, https: 'nonce-abcdefg' in browsers that support CSP2, and 'nonce-abcdefg' 'strict-dynamic' in browsers that support CSP3.