Status / self-report

DOMFortify.status() tells you, honestly, whether the page is actually protected and why. protected is true only when enforcement is on, DOMFortify owns the default policy, and the sanitizer passed its smoke test.

Tip: remove the DOMPurify <script> tag and reload to watch this flip to a fail-closed state, with the reason spelled out.