Content-Security-Policy: script-src 'self';
script-src 'self';
This page has no object-src or default-src directives. try injecting a payload that triggers XSS