Please note the host parameter in the URL query string. It can be set to 'https://cdn.onesignal.com/' to perform XSS attack that includes script from third-party site https://cdn.onesignal.com
Check Console Logs to know if XSS attack was success
Check Console Logs to know if XSS attack was success