Abusing a static nonce in Content Security Policy (CSP) to execute XSS