Content-Security-Policy: script-src 'self'; object-src 'none';
script-src 'self'; object-src 'none';
This page allows scripts from 'self'. If you can upload a file, try injecting a script: