The Content-Security-Policy if made up of directives, separated with a semicolon ;. Here is an example :
There is a few techniques to bypass content security policies :
Dangling markup injection
Dangling markup injection is a technique that can be used to capture data cross-domain in situations where a full Cross Site Scripting (XSS) exploit is not possible, due to input filters or other defenses. It can often be exploited to capture sensitive information that is visible to other users, including CSRF tokens that can be used to perform unauthorized actions on behalf of the user.
Here is a list of various JSONP endpoints that can be used to perform code injections :