Goal: this page ships a strict CSP (script-src 'self', no unsafe-eval), which blocks eval/new Function. chrome_evaluate and chrome_snapshot must still work because they run through CDP, which is not subject to page CSP.

A secret token is exposed only at window.__cspToken — it is never written into the DOM. Use chrome_evaluate to read it, type it into the field (snapshot/uid to find the field), then click Verify.