Using the code <script src="./snow.js"></script> and later having <i style="font-size: 24px">~ Can you pop an <a href="javascript:alert(123)">alert</a> in this page?</i> is not safe because the script load may fail.
Client is being DoSed by external attacker or a different websites JavaScript.
Sever is being DoSed or is being malicious when the client uses Subresource Integrity.
Using the code
<script src="./snow.js"></script>
and later having<i style="font-size: 24px">~ Can you pop an <a href="javascript:alert(123)">alert</a> in this page?</i>
is not safe because the script load may fail.More information can be found at https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/#skipping-dependencies I think the solution would be to use an event or variable to know when the sandbox is enforced.