NoteKeeper has XSS but hides behind Content-Security-Policy. Three progressively harder CSP configurations to bypass.
