Add the CSP bypass to the mitigation bounty

[tomrittervg]

@mozfreddyb @evilpie Is this good? I want the bypass to have minimal requirements but I'm not sure if phrased as-is, there are known bypasses we haven't fixed yet.

I'm envisioning a valid submission to be like:

In <file> I can get a reference to the browser and do 
x = document.createElement('script')
x.innerHTML = "alert(1)"
document.getElementById('whatever').appendChild(x)
and it will trigger, here's a screenshot.

Would our CSP protect against that? If not how would we change this description to be accurate but expansive.

[evilpie]

I don't think we need to limit this to inline script execution, but script execution that bypasses the CSP in general. Executing code that is permitted by the CSP anyway (e.g. loading a random file from chrome:) isn't particularly interesting unless the reporter finds a file that enables them to escape the sandbox.

I thought we had talked about also paying a small bounty for demonstrating cases where script execution would have been possible without a CSP. Is that something we would consider?

[mozfreddyb]

I believe we should consider both:

• CSP bypass that would lead to a sandbox escape if there was an XSS
• An "almost XSS" in a message that is sent from child to parent is only mitigated by the CSP