The reason the onload HTML attribute wouldn’t work is because the CSP (Content Security Policy) is set to script-src 'self' which only allows running js from .js files hosted on the same scheme, host and port.
More information about CSP can’t be found here.