CSP default-src eval policy enabled. onclick etc., and inline scripts not allowed. The box has a .onclick property handler which should generate a box clicked! message. Conversely, the sphere has an onclick attribute handler which should be ignored. The upper yellow cone is an inline which has an onload property handler. It should generate a upper cone loaded! message. Conversely, the lower yellow cone has an onload attribute handler which should be ignored.