These pages include a whitelist.js and a blacklist.js. Mosts test will attempt to load the whitelist, and block the blacklist. See code reference below to see what is actually being used.
Test page for CSP script-src path prefix wildcard
<meta
http-equiv="Content-Security-Policy"
content="script-src 'self' https://defektive.github.io/xss/dist/white*">