chromium/third_party/blink/web_tests/external/wpt/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html

<!DOCTYPE HTML>
<html>
<head>
  <title>A report-only policy that does not allow a script should not affect an enforcing policy using hashes.</title>
  <!-- nonces are here just to let all of our scripts run -->
  <script nonce="abc" src='/resources/testharness.js'></script>
  <script nonce="abc" src='/resources/testharnessreport.js'></script>
</head>
<body>
  <script nonce="abc">
    var t_spv = async_test("Should fire securitypolicyviolation event");
    window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
      assert_equals(e.violatedDirective, "script-src-elem");
      assert_equals(e.disposition, "report");
    }));
    var externalRan = false;
  </script>
  <script src='./externalScript.js'
          integrity="sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0="></script>
  <script nonce="abc">
    test(function() {
      assert_true(externalRan, 'External script ran.');
    }, 'External script in a script tag with matching SRI hash should run.');
  </script></body>
</html>