Another payload could have been used to embed unauthorized images into the webpage. Since the website is Content Security Policy (CSP) protected, we can only add the malicious payload, which would look something like the following:
<http://<img src="https://profile-photos.hackerone-user-content.com/production/000/000/013/76b3a9e70495c3b7340e33cdf5141660ae26489b_large.png?1383694562">
The previous payload will be rendered as follows:
http://<img src="https://profile-photos.hackerone-user-content.com/production/000/000/013/76b3a9e70495c3b7340e33cdf5141660ae26489b_large.png?1383694562">
This will post an image in the report page without having the page.