Technically Pointless
So in order to inject the blank window to take advantage of this CSP bypass :-
Scenario A. The CSP allows inline-scripting already and the app renders user content as html without really sanitising it first. (so no real need for the CSP bypass anyway)
Scenario B. You have found another CSP bypass so that you can inject the code to open a blank window (so you need a CSP bypass to then use a CSP bypass, pointless)
Scenario C. The site is served over HTTP and you have managed to set up a man in the middle, enabling you to inject content into the page directly, again, you don't relly need the blank window CSP bypass because you can just remove the CSP header completely and do what you want.
Anyone got a theoretical example that works in a real situation where a properly defined CSP is in place?