I think that onload="Tracy.Dumper.init()" in bar.js is the only thing conflicting with script-src-attr: none but I think a thorough scan for others would be wise.
Would you be willing to replace this with an eventListener?
While I was there, I removed the deprecated write()
let doc = win.document;
doc.open();
doc.close();
let charset = doc.createElement('meta');
charset.setAttribute('charset', 'utf-8');
doc.head.appendChild(charset);
doc.body.id = 'tracy-debug';
let s = doc.createElement('script');
s.src = baseUrl + '_tracy_bar=js&XDEBUG_SESSION_STOP=1';
s.async = true;
s.addEventListener('load', function() { Tracy.Dumper.init(); });
doc.head.appendChild(s);
I think that
onload="Tracy.Dumper.init()"in bar.js is the only thing conflicting withscript-src-attr: nonebut I think a thorough scan for others would be wise.Would you be willing to replace this with an eventListener?
While I was there, I removed the deprecated
write()