"The skimmer injects a loader into the page source as an inline script."
"Given the obfuscated nature and supply chain origination of in-browser attacks, traditional CSP-reliant approaches miss most of these types of attacks."
"Also, a lot of CSP policies don't limit WebSockets usage."
...But CSP is very aggressive with denying inline scripts.
Could be a browser plugin, or maybe an infected common JS package?
My reaction exactly. This whole post seemed like purely thrown shade against CSP, which should prevent both injection and data exfiltration as designed when used correctly, in order to sell Akamai's product.