Mitigate cross-site scripting (XSS) with a strict Content Security Policy (CSP)
Bypassing modern XSS mitigations with code-reuse attacks - Truesec
How to Use X-XSS-Protection for Evil
The XSS Auditor refused to execute a script in http://default.aspx because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy'
XSS Auditors – Abuses, Updates and Protection | Invicti
On Cross-Site Scripting and Content Security Policy
Exotic HTTP headers - CleanTalk's blog
CSP Bypass Challenge Writeup : r/netsec
In Depth: Content Security Policy - by Stephen Rees-Carter
google chrome - Chromium's XSS auditor refused to execute a script - Stack Overflow
javascript - Refused to execute script because its MIME type ('application/gzip') is not executable, and strict MIME type checking is enabled - Stack Overflow