Content Security Policy
The policy applied to this page is:
default-src 'self' 'unsafe-inline' https: data: blob:
Attack
A third-party script loaded from tracker-script.pages.dev injects a
blob: iframe into this page. This is permitted due to permissive fallback, combining values from multiple directives.
If the iframe below displays this page’s location.origin, it has inherited first-party privileges.