diff --git a/deno.lock b/deno.lock
index 2f6efcf..c655d53 100644
--- a/deno.lock
+++ b/deno.lock
@@ -1,6 +1,24 @@
 {
   "version": "3",
   "remote": {
+    "https://cdn.jsdelivr.net/npm/boolbase@1.0.0/+esm": "d52c72a6e03cf083613a445b7789f5e0be169a17d1a6284cfa82417f081d93a1",
+    "https://cdn.jsdelivr.net/npm/cheerio-select@2.1.0/+esm": "42221732b1bce8c6c63e14da63b9dcd62928f33057403c3bec696fdec2ab80ec",
+    "https://cdn.jsdelivr.net/npm/cheerio/+esm": "527ec766a35ec10f6f41cf88b3df2fa624fe9aa53759d613cdc6b35ac78e3cec",
+    "https://cdn.jsdelivr.net/npm/content-security-policy-parser@0.6.0/script/mod.js": "4f9a231414b94f0ac603f90f1b339517179089a37ff945cab37e5587fb392510",
+    "https://cdn.jsdelivr.net/npm/content-security-policy-parser@0.6.0/script/mod.js/+esm": "96e99fb13a42f90f9d1481ae49238f55b02a85a8beb2cdc3bfd2c3c4e2302d64",
+    "https://cdn.jsdelivr.net/npm/css-select@5.1.0/+esm": "47e75da2aca030df8fbdd72ceb87d2fd6d21af6752c01503b50a2d1c07aa3962",
+    "https://cdn.jsdelivr.net/npm/css-what@6.1.0/+esm": "f839976bcc3ebb5dcb9de537541601c9077f28ed4cf3ae24a13c971489001d1e",
+    "https://cdn.jsdelivr.net/npm/dom-serializer@2.0.0/+esm": "1aa19e6645656e5a47d932c53b9eea52a467cde6817ef4c7676a0edb499fea6f",
+    "https://cdn.jsdelivr.net/npm/domelementtype@2.3.0/+esm": "dd9d2303c55fe25c4290de142385cd3862149526d3c4e73a91ed81e002f059d7",
+    "https://cdn.jsdelivr.net/npm/domhandler@5.0.3/+esm": "a7dc953c1c72a84b978d0a403e40f5fc44951df21daa147eb6e6cb31a565b368",
+    "https://cdn.jsdelivr.net/npm/domutils@3.1.0/+esm": "0d86494f28cc3c0c1a9f70679c911d288c33940f07c19200cacf23493eee83bb",
+    "https://cdn.jsdelivr.net/npm/entities@4.5.0/+esm": "7da8fa90cb0ee6d6cf1d7f7024a547bfec03003c97d2064988d5e4437a60572c",
+    "https://cdn.jsdelivr.net/npm/entities@4.5.0/lib/decode.js/+esm": "c8bf0b17edea75d05ca3df97ec198fe3fb596f229742b6cb619682e5ef56fd9d",
+    "https://cdn.jsdelivr.net/npm/entities@4.5.0/lib/escape.js/+esm": "a33e5f3494365da8028dcce713a4e43594defba4b825d693e5b36d326e5b475c",
+    "https://cdn.jsdelivr.net/npm/htmlparser2@9.1.0/+esm": "fcc8fef535b069df1ba190e9323ea8353bb3c54103591a1e18050fcf78d4c433",
+    "https://cdn.jsdelivr.net/npm/nth-check@2.1.1/+esm": "793bc05688407f878bf96853bf45eb55463b811c7f98703ec978e26c17c3844f",
+    "https://cdn.jsdelivr.net/npm/parse5-htmlparser2-tree-adapter@7.0.0/+esm": "e593cdf76f179b69a615d2f5d513161c059f60d4d948211433e9df5f43aa264d",
+    "https://cdn.jsdelivr.net/npm/parse5@7.1.2/+esm": "9d0b2bd9cb9dc15def0073381e8949d634afb2d4c05ef51d09348b81d32e171a",
     "https://deno.land/std@0.224.0/assert/_constants.ts": "a271e8ef5a573f1df8e822a6eb9d09df064ad66a4390f21b3e31f820a38e0975",
     "https://deno.land/std@0.224.0/assert/assert.ts": "09d30564c09de846855b7b071e62b5974b001bb72a4b797958fe0660e7849834",
     "https://deno.land/std@0.224.0/assert/assert_almost_equals.ts": "9e416114322012c9a21fa68e187637ce2d7df25bcbdbfd957cd639e65d3cf293",
diff --git a/tests/fixtures/basic.html b/tests/fixtures/basic.html
new file mode 100644
index 0000000..95fa272
--- /dev/null
+++ b/tests/fixtures/basic.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <link rel="preload" href="/main.css" as="stylesheet"/>
+  <link rel="stylesheet" href="/main.css" />
+  <link rel="preload" as="script"
+    href="https://cdn.jsdelivr.net/npm/canvas-confetti@1.9.3/dist/confetti.browser.min.js" />
+</head>
+
+<body>
+  <script src="https://cdn.jsdelivr.net/npm/canvas-confetti@1.9.3/dist/confetti.browser.min.js"></script>
+  <script>
+    document.write("<p>✅ yay</p>");
+    confetti();
+  </script>
+</body>
+
+</html>
\ No newline at end of file
diff --git a/src/index.test.ts b/tests/index.test.ts
similarity index 64%
rename from src/index.test.ts
rename to tests/index.test.ts
index d2fc269..4d105b2 100644
--- a/src/index.test.ts
+++ b/tests/index.test.ts
@@ -2,7 +2,15 @@ import {
   assertMatch,
   assertStrictEquals,
 } from "https://deno.land/std@0.224.0/assert/mod.ts";
-import { csp } from "./index.ts";
+import { csp } from "../src/index.ts";
+
+import * as cheerio from "https://cdn.jsdelivr.net/npm/cheerio/+esm";
+
+import cspParser from "https://cdn.jsdelivr.net/npm/content-security-policy-parser@0.6.0/script/mod.js/+esm";
+import { assertEquals } from "https://deno.land/std@0.224.0/assert/assert_equals.ts";
+import { assert } from "https://deno.land/std@0.224.0/assert/assert.ts";
+import { assertArrayIncludes } from "https://deno.land/std@0.224.0/assert/assert_array_includes.ts";
+const parseContentSecurityPolicy = cspParser.default;
 
 Deno.test({
   name: "non-html responses are returned untouched",
@@ -13,24 +21,46 @@ Deno.test({
 
     const result = await csp(response);
     assertStrictEquals(response, result);
+    assertEquals(response.headers.has('content-security-policy'), false)
     await response.body?.cancel();
   },
 });
+
+Deno.test({
+  name: "non-html (png) responses masquerading as html are returned with identical bodies",
+  fn: async () => {
+    const response = new Response(Uint8Array.from([137, 80, 78, 71, 13, 10, 26, 10, 0, 0, 0, 13, 73, 72, 68, 82, 0, 0, 0, 1, 0, 0, 0, 1, 1, 0, 0, 0, 0, 55, 110, 249, 36, 0, 0, 0, 10, 73, 68, 65, 84, 120, 1, 99, 96, 0, 0, 0, 2, 0, 1, 115, 117, 1, 24, 0, 0, 0, 0, 73, 69, 78, 68, 174, 66, 96, 130]), {
+      headers: { "content-type": "text/html" },
+    });
+    const originBody = await response.clone().arrayBuffer()
+
+    const result = await csp(response);
+    assertEquals(originBody, await result.arrayBuffer());
+  },
+});
 Deno.test({
   name: "html responses are modified",
   fn: async () => {
-    const response = new Response("<script>", {
+    const response = new Response(await Deno.readFile('./tests/fixtures/basic.html'), {
       headers: {
         "content-type": "text/html; charset=utf-8",
       },
     });
 
     const result = await csp(response);
-    assertMatch(
-      result.headers.get("content-security-policy")!,
-      /^script-src 'nonce-[-A-Za-z0-9+/]{32}'$/,
-    );
-    assertMatch(await result.text(), /^\<script nonce="[-A-Za-z0-9+/]{32}">$/);
+    const policy: Map<string, string[]> = parseContentSecurityPolicy(response.headers.get("content-security-policy")!);
+
+    const script = policy.get("script-src")!;
+    assert(script.find((value) => /'nonce-[-A-Za-z0-9+/]{32}'/.test(value)));
+
+    let $ = cheerio.load(await result.text());
+  
+    const scriptsrc = policy.get("script-src")!;
+    const nonce = scriptsrc.find((v) => v.startsWith("'nonce-"))?.slice("'nonce-".length, -1);
+    const scripts = $("script,link[rel=preload][as=script]");
+    for (const script of scripts) {
+      assertEquals(script.attribs.nonce, nonce);
+    }
   },
 });
 Deno.test({
@@ -40,15 +70,21 @@ Deno.test({
       headers: {
         "content-type": "text/html; charset=utf-8",
         "content-security-policy":
-          "img-src 'self' blob: data:; script-src 'sha256-/Cb4VxgL2aVP0MVDvbP0DgEOUv+MeNQmZX4yXHkn/c0='",
+          "img-src 'self' blob: data:; script-src 'strict-dynamic' 'sha256-/Cb4VxgL2aVP0MVDvbP0DgEOUv+MeNQmZX4yXHkn/c0='",
       },
     });
 
     const result = await csp(response);
-    assertMatch(
-      result.headers.get("content-security-policy")!,
-      /^img-src 'self' blob: data:; script-src 'nonce-[-A-Za-z0-9+/]{32}' 'sha256-\/Cb4VxgL2aVP0MVDvbP0DgEOUv\+MeNQmZX4yXHkn\/c0='/,
+    const policy: Map<string, string[]> = parseContentSecurityPolicy(
+      response.headers.get("content-security-policy") || ""
     );
+
+    assertEquals(policy.get("img-src"), ["'self'", "blob:", "data:"]);
+    const script = policy.get("script-src")!;
+    const nonce = /'nonce-[-A-Za-z0-9+/]{32}'/;
+    assert(script.find((value) => nonce.test(value)));
+    assertEquals(script.includes("'strict-dynamic'"), true);
+    assertArrayIncludes(script, ["'sha256-/Cb4VxgL2aVP0MVDvbP0DgEOUv+MeNQmZX4yXHkn/c0='"]);
     assertMatch(await result.text(), /^\<script nonce="[-A-Za-z0-9+/]{32}">$/);
   },
 });
@@ -154,3 +190,5 @@ Deno.test({
     assertMatch(await result.text(), /^\<script nonce="[-A-Za-z0-9+/]{32}">$/);
   },
 });
+
+