Web - Client

Hi, I am stuck in the CSP Bypass - Nonce challenge.

Once I review the content security policies in the url
http://challenge01.root-me.org/web-client/ch49/?username=say

and the result is as follows:

connect-src - check
font-src - check
img-src - check
manifest - check
media-src - check
object-src - check
script-src - consider adding ’unsafe-inline’ (ignored by browser supporting nonces/hashes) to be backward compatible with older browsers
style-src - check
worker-src - check
frame-ancestors - check
block-all-mixed-content - check
base-uri [missing]

As you can see, the base-uri policy is not defined so it is assumed that you can inject the tag to manipulate the main url, but when you enter a domain for example example.com, the tag is not rendered and only shows the content hacker, reviewing a little restrictions to load the content I have identified that you can not use the (.) because once the page detects it does not render the content, if someone can help me I appreciate it.