Target page

The target page as a restrictive CSP:
default-src 'self';object-src 'none'; style-src 'self'; script-src 'self';

Attacker page

1. Attacker injects dangling iframe name attribute which exfiltrates all the data to the next single quote.
2. When the frame is loaded the attacker changes the location to about:blank
3. The attacker can read the window.name of the iframe which contains the CSRF token.