TIL: sourceMappingURL bypasses CSP

Apparently sourceMappingURL (the little comment at the end of compiled JS files) bypasses CSP and can be used to detect if the devtools are open. There’s this whole “anti debugging” area of interest that’s outlined here.