Jun 21 2021 CSP bypass: How one Chrome XSS bug took 2.5 years and an HTML spec change to fix

Source

Browser flaw enabled XSS attacks on protected pages [...]