diff --git a/cheatsheets/xss.md b/cheatsheets/xss.md
index 5301942..10979af 100644
--- a/cheatsheets/xss.md
+++ b/cheatsheets/xss.md
@@ -311,3 +311,21 @@ __ javascript:alert(document.domain)
 ```js
 {{constructor.constructor('alert(1)')()}}
 ```
+
+**Content Security Policy (CSP) bypass via JSONP endpoints**
+
+Grab the target's CSP:
+
+```
+curl -I http://example.com | grep 'Content-Security-Policy'
+```
+
+Either paste the CSP into https://csp-evaluator.withgoogle.com/ or just submit the target's address into the "Content Security Policy" field. The CSP Evaluator will notify you if one of the whitelisted domains has JSONP endpoints.
+
+![image](https://user-images.githubusercontent.com/18099289/32136707-a1c12510-bc12-11e7-8a80-8a22b3e94232.png)
+
+Now we can use a Google dork to find some JSONP endpoints on the domains listed above.
+
+```
+site:example.com inurl:callback
+```