I haven’t got the slightest idea what the purpose of this test is as there is a total lack of information on what it is trying to achieve.
Your title says the latest fx has it aboard, well that entirely depends on what you mean by latest as ff 3.5.5 doesn’t by all accounts.
With NoScript enabled an neither mozilla or hackmill allowed you get nada test as cgi blocked. With Mozilla allowed you get 5 pass (the hackmill ones) and 5 fail (the mozilla ones). With hackmill allowed you get 10 fails.
So perhaps this says more about NoScript than it does CSP.
This is a new security policy that is going to be brought in inside Firefox and also IE and it is both run by servers and browsers to check on each other what is allowed to run there security wise. I have it as a security add-on inside Firefox. Firefox 3.6 Beta has it built in.
I hope both browser developers and web developers are going to implement it,
It aims at unpluging scripting attacks, meant for those that cannot work NS to its full potential,