csp defense with sandbox=allow-scripts
tests 1. remote script 2. inline script 3. onclick=
open console
should block d3 global object (remote)
should block inline console.log('block me')
should block evil click handler from log
should allow click handler attached from parent when img click