Content Security Policy

Watch the network tab and console in developer tools

No CSP

CSP = none
Content-Security-Policy: default-src 'none'; report-uri /xss/csp-report.php?report

CSP = inline
Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline'; report-uri /xss/csp-report.php?report

CSP = google (for jQuery)
Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline' ajax.googleapis.com; report-uri /xss/csp-report.php?report

CSP = cloudflare (for Knockout)
Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline' cdnjs.cloudflare.com; report-uri /xss/csp-report.php?report

Check also CSP3 'strict-dynamic' demo page


Source code on GitHub