Our script-related CSP checks currently only fire for eval() and other dynamic JS execution tools, according to the SpiderMonkey documentation.

We need some explicit CSP checks in code that evaluates JS scripts:, <script module>`, event listener attributes, javascript: URLs):

• <script>:

  servo/components/script/dom/htmlscriptelement.rs

  Line 1061 in a0730d7

  pub(crate) fn run_a_classic_script(&self, script: &ScriptOrigin, can_gc: CanGc) {

• <script module>:

  servo/components/script/script_module.rs

  Line 456 in a0730d7

  fn compile_module_script(

• event listener attributes:

  servo/components/script/dom/eventtarget.rs

  Line 568 in a0730d7

  fn get_compiled_event_handler(

• javascript: URLs:

  servo/components/script/script_thread.rs

  Line 3342 in a0730d7

  pub(crate) fn eval_js_url(global_scope: &GlobalScope, load_data: &mut LoadData, can_gc: CanGc) {

Tested by https://github.com/servo/servo/tree/main/tests/wpt/tests/content-security-policy/script-src .