JSONP Endpoint Scenario

Content-Security-Policy: script-src 'self' https://www.google.com https://www.youtube.com; object-src 'none';

This page allows JSONP endpoints. try injecting a payload that triggers XSS:

Submit