Pick a policy and watch how the same set of injection payloads is blocked or bypassed. This is a teaching model of script-src + base-uri + object-src + img-src semantics in a modern browser — nothing is actually executed.
script-src
base-uri
object-src
img-src
—