CSP bypass: How one Chrome XSS bug took 2.5 years and an HTML spec change to fix
Discovered by Jun Kokatsu, the bug allowed crafty attackers to bypass Content Security Policy (CSP), an HTTP header that restricts external resources loaded and run on the web page.