Visit this page using this link:

https://scotthelme.co.uk/x-xss-protection-1-demo/?foo=%3Cscript%20src=%22https://securityheaders.io/alert.js%22%3E%3C/script%3E

 

The XSS filter (in Chrome at least) will detect the script in the GET param is present in the DOM and block it from loading. This can be used to disable arbitrary script on the page and is the default setting if you do not set the header.

 

This script shouldn't load, check for an error in dev tools.

<script src="https://securityheaders.io/alert.js"></script>