Allow one script URL
By default script.src is refused outright. An
ALLOW_SCRIPT_URL hook can permit specific, vetted URLs and refuse everything else.
The config
window.DOMFortifyConfig = {
ALLOW_SCRIPT_URL: (url) => url.startsWith('https://cdn.jsdelivr.net/') ? url : null,
};
Try it
Swap in https://evil.example/x.js to see it refused.