[wuyishan]

Couldn't Content Security Policy (CSP) [1] be used to mitigate this attack?

[1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

[maxchehab]

It actually can't. Instagram does use this protect java-script injection from extensions, but clearly injecting CSS is allowed.

[sbarre]

But could you use CSP to block the image loading that happens in the CSS with 'img-src' definitions?

Someone else in this thread suggested that as well.

[15155]

The requested resource, however, could be blocked by a CSP.