hx-nonce + Trusted Types CSP test

permissive nonce nonce-no-eval nonce-no-eval-no-safeeval ⚠ trusted-types trusted-types-no-eval trusted-types-multi trusted-types-no-htmx ⚠

Current mode:
Check the browser console and Network tab for CSP violations.

1. Basic hx-get swap

Tests that nonced elements can make requests and swap content.

— not loaded —

2. JS eval paths (all require safeEval under no-eval CSP)

Each button exercises a different htmx JS eval entry point. Check console for output.

hx-on:click — inline event handler

hx-trigger filter — click[expression] guard

hx-vals js: — JS object expression for request body

hx-headers js: — JS object expression for request headers

hx-confirm js: — async confirm via JS expression

hx-get js: — JS expression executed instead of HTTP request (side-effect only, no swap)

— eval results —

3. Script tag execution in swapped responses

Tests whether scripts in partial responses execute based on their nonce.

With nonce — script carries the response nonce, rewritten to page nonce by hx-nonce. Should execute under all modes.

Without nonce — script has no nonce. Should execute in permissive, blocked by CSP in all nonce modes.

— script results —

4. Blocked elements (should never fire a request)

Both buttons should be stripped by hx-nonce and fire htmx:security:strip.

— should stay empty —