hx-nonce + Alpine CSP build test

alpine-csp alpine-csp-tt back to main tests

Current mode:
Alpine CSP build — no unsafe-eval required. Check console for violations.

1. Alpine reactivity (no unsafe-eval)

Basic Alpine expressions using the CSP build. Should work without unsafe-eval.

— count is greater than 5!

2. htmx swap + Alpine reactive content

htmx loads a partial, Alpine reacts to the new content.

— not loaded —

3. Alpine state read by htmx hx-vals js:

htmx reads Alpine component state via hx-vals js:. Requires safeEval:true.

— not loaded —

4. Alpine CSP limitation — globals not supported

The Alpine CSP build blocks global access entirely — console, window etc. throw "Undefined variable" Alpine errors (check console). Extract logic to Alpine.data() in a nonced <script> tag instead.

5. Alpine CSP self-policed sinks

The Alpine CSP build actively blocks its own dangerous sinks before they reach the DOM — no TT violation needed. These throw Alpine's own errors, not browser TT errors. This means trusted-types htmx alone is sufficient alongside the Alpine CSP build.

x-html — Alpine CSP throws "Using the x-html directive is prohibited"

x-init + insertAdjacentHTML — Alpine CSP throws "Accessing insertAdjacentHTML is prohibited"

(insertAdjacentHTML target)

x-if / x-for — Alpine CSP handles template cloning internally without hitting TT sinks

x-bind:innerHTML — Alpine CSP blocks this too