Content-Security-Policy-Report-OnlyThis one won't block anything, only send reports (use in Pre environment).
script-srcis set to
selfand a particular domain which is whitelisted can be bypassed using JSONP. JSONP endpoints allow insecure callback methods which allow an attacker to perform XSS, working payload:
http://example.com/company/you can bypass the folder restriction and execute:
$eventobject, which simply references the browser event object. You can use this object to perform a CSP bypass. On Chrome, there is a special property on the
path. This property contains an array of objects that causes the event to be executed. The last property is always the
windowobject, which we can use to perform a sandbox escape. By passing this array to the
orderByfilter, we can enumerate the array and use the last element (the
windowobject) to execute a global function, such as
alert(). The following code demonstrates this:
'unsafe-inline'means that you can execute any script inside the code (XSS can execute code) and
img-src *means that you can use in the webpage any image from any resource.
'unsafe-inline'This time you can make the victim load a page in your control via XSS with a
<iframe. This time you are going to make the victim access the page from where you want to extract information (CSRF). You cannot access the content of the page, but if somehow you can control the time the page needs to load you can extract the information you need.
https://redirectme.domain1.comand listen to
securitypolicyviolationevent which contains
blockedURIproperty containing the domain of the blocked URI. That is because the
https://redirectme.domain1.com(allowed by CSP) redirects to
https://adminsecret321.domain2.com(blocked by CSP). This makes use of undefined behavior of how to handle iframes with CSP. Chrome and Firefox behave differently regarding this.
;_Edge would drop the entire policy. Example: http://portswigger-labs.net/edge_csp_injection_xndhfye721/?x=;_&y=%3Cscript%3Ealert(1)%3C/script%3E