csp awareness

Show us devs how restrictive or loose the CSP of the website is. I know you can’t bypass it. But injecting of scripts can be only partially blocked, so check all the methods and see if they’re blocked or not.

Examples:
- we can host the script on a cdn url and load it
- we can inject script as a raw script tag with text
- we can use a patched browser as an ultimate tool, so that it can ignore certain CSP and run our code anyway.

Check which of these methods are allowed or blocked by CSP so we can work around it.

Related:
- This guy got blocked by CSP of a website:

https://scripty.featurebase.app/p/issues-with-content-security-policy