csp defense with sandbox=allow-scripts

tests 1. remote script 2. inline script 3. onclick=

open console

should block d3 global object (remote)

should block inline console.log('block me')

should block evil click handler from log

should allow click handler attached from parent when img click