HackerOne: Google Analytics could be used as CSP bypass for data exfiltration on hackerone.com

Greetings, I believe I may have found a way to bypass CSP on hackerone.com The issue lies here: img-src 'self' data: www.google-analytics.com As you can imagine, how can image tags be used maliciously here to this safe site? Well, as you know, on google-analytics.com we have the ability to host...