/csp-bypass · sink: Markup() / |safe
CSP looks restrictive (script-src 'self') but same-origin /jsonp is a callback bypass.
Response CSP: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; base-uri 'none'
Inline <script> is blocked by CSP. But this same origin exposes /csp-bypass/jsonp?cb=<name> which reflects <name> into executable JS. Try a payload that loads <script src=/csp-bypass/jsonp?cb=alert(1)//>.
The relevant endpoint on this origin: /csp-bypass/jsonp?cb=<name> — try it directly to see what it returns.