CSP default-src eval policy not enabled. onclick etc., and inline scripts are allowed. The box has a .onclick property handler which should generate a box clicked! message. Conversely, the sphere has an onclick attribute handler which should not be ignored. The upper yellow cone is an inline which has an onload property handler. It should generate a upper cone loaded! message. Conversely, the lower yellow cone has an onload attribute handler which should not be ignored.