On my previous report (number 126464) I've mentioned that analytics.twitter.com has a CSP bypass which I couldn't exploit that time.
Now, I've found a reflected XSS on careers.twitter.com which again I couldn't exploit by itself. Because you have CSP, and I've combined two of them to successfully trigger XSS.
If you visit the url: https://careers.twitter.com/en/jobs-search.html?location=1%22%3E%3Cscript%20src=//analytics.twitter.com/tpm?tpm_cb=alert%28document.domain%29%3E//
you will see xss triggered.