Usage:
http://cm2.pw/xssi?url=http://example.com

Parameters:
url   -   Target URL, required
eval  -   JavaScript code to be evaled, optional
<attributes>  -   Any other attributes that script element supports (async, defer, charset, etc.), optional

Example:
http://cm2.pw/xssi?url=https://api.ipify.org%3fformat=jsonp
http://cm2.pw/xssi?url=https://api.ipify.org%3fformat=jsonp%26callback=myFunc&charset=utf-16be&eval=myFunc=i=>alert(JSON.stringify(i))

References:
https://www.scip.ch/en/?labs.20160414
http://www.mbsd.jp/Whitepaper/xssi.pdf
http://scary.beasts.org/security/CESA-2008-011.html
http://blog.portswigger.net/2016/11/json-hijacking-for-modern-web.html
http://balpha.de/2013/02/plain-text-considered-harmful-a-cross-domain-exploit/
https://www.owasp.org/images/f/f3/Your_Script_in_My_Page_What_Could_Possibly_Go_Wrong_-_Sebastian_Lekies%2BBen_Stock.pdf