Under a properly configured CSP, allowing scripts that aren't from the same origin to inject things into the DOM is the problem.
Both of your examples are problematic.
Under a properly configured CSP, allowing scripts that aren't from the same origin to inject things into the DOM is the problem.
Both of your examples are problematic.