This writeup is about our uninteded solution of a very cool Web challenge by Hugo DELVAL. The intended solution was about triggering an XSS and bypass the CSP via a JSONP endpoint on www.google.com. Our solution abused the `data:[<mediatype>][;base64],<data>` URIs to get JavaScript execution.