If you found XSS and in CSP policy unsafe-inline, inline script is disabled and script can be loaded from whitelisted domains "script-src 'self. You can't upload script to current domain, but you see YouTube or google in whitelist domains IN CSP you can use this script below! .