Collection of CSP bypasses

On this page, I'd like to collect a set of CSP bypasses related to nonces. CSP policies using nonces are considered very strong in terms of security. However, there are many (sometimes unusual) situations in which nonces can be bypassed.

It is still unclear to me, if these bypasses have a practical impact on CSP's protective capabilities. Nevertheless, I'd like to explore these situations to better understand the boundaries of CSP.

Furthermore, I'd like to encourage other researchers to have a closer look at CSP nonces.

General bypasses

• Bypassing script nonces via the browser cache (DOM-based XSS)
• Bypassing script nonces via the BFCache (by @arturjanc)
• Bypassing script nonces via the AppCache (by @sirdarckcat)
• Bypassing script nonces via partial markup injections I
• Bypassing script nonces via partial markup injections II (PoC only contains nonce stealing part)
• Bypassing script nonces via event handlers and changeable sources
• Bypassing script nonces via DOM XSS (by @sirdarckcat)
• Bypassing script nonces via CSS I (by @sirdarckcat)
• Bypassing script nonces via CSS II (by @sirdarckcat)
• Bypassing script nonces via SVG set tags (by @sirdarckcat)
• Bypassing script nonces via SVG animate tags I (by @sirdarckcat)
• Bypassing script nonces via SVG animate tags II (by @0x6D6172696F)
• Bypassing script nonces via XSLT (by @sirdarckcat)
• Bypassing script nonces via base tags and data URIs (by @jackmasa)
• Bypassing script nonces via base tags and external URIs
• Bypassing script nonces via social engineering
• Bypassing script nonces by predicting random numbers
• Bypassing script nonces via Relative Path Override (RPO) vulnerabilities
• Bypassing script nonces by injecting into a URL of a nonced script
• Bypassing script nonces by injecting into a nonced script

Framework-specific bypasses

• (strict-dynamic) Bypassing script nonces in Closure via CLOSURE_BASE_PATH (by @sirdarckcat)
• (strict-dynamic) Bypassing script nonces in Polymer via JSONP tags (by @kkotowicz)
• (strict-dynamic) Bypassing script nonces in Polymer via iron-ajax (by @kkotowicz)
• (strict-dynamic) Bypassing script nonces in Polymer via templates (by @kkotowicz)
• (strict-dynamic) Bypassing script nonces in jQuery via $.get (by @kkotowicz)
• Bypassing script nonces in jQuery via jQuery templates (by @0x6D6172696F)
• Bypassing script nonces in jQuery via hijacking handlebar templates
• Bypassing script nonces in Ember via Ember templates (by @0x6D6172696F)
• Bypassing script nonces in Angular via interpolation (by @sirdarckcat)