Google Tag Manager (GTM + unsafe-eval) https://github.com/k1tten/writeups/blob/master/bugbounty_writeup/ HackMD_XSS_%26_Bypass_CSP.md A Wormable XSS on HackMD! (cdnjs + angular CSTI) https://blog.orange.tw/2019/03/a-wormable-xss-on-hackmd.html
an exception for cookies set without a SameSite attribute less than 2 minutes ago. Such cookies will also be sent with non-idempotent (e.g. POST) top-level cross-site requests.… Support for this intervention ("Lax + POST") will be removed in the future.