[minitech]

I’m confused. If you already have script injection on a website with script-src 'unsafe-inline' (!!!), what do you need to bypass? I guess for some very unusual types of websites it could be hard to get information out, but you’re otherwise free to perform any action within the site as the user.

[alxlu]

You would need to bypass connect-src in order to exfiltrate data. Even if you are able to call fetch() on your endpoint through XSS, CSP would block the network request. So the iframe and webrtc methods in the article are geared towards bypassing that since connect-src would fallback to default-src in this case.