Is it possible to bypass this csp?


  • QA Engineer

    Today I created a web application. I'm using this csp to avoid xss attacks. CSP: Content-Security-Policy", `child-src 'none'; connect-src 'none'; default-src 'none'; font-src 'none'; frame-src 'none'; img-src 'none'; manifest-src 'none'; media-src 'none'; object-src 'none'; prefetch-src 'none'; script-src 'report-sample'; style-src 'report-sample'; worker-src 'none'; Does anyone know if its still possible to xss? If so, how? My web app is an extremely simple pastebin website.



  • It's not clear what you mean by bypassing CSP. XSS (injecting user controlled HTML code) is possible in case of rendering unescaping user input, but it is impossible to exploit XSS, since you have completely prohibited styles and scripts.

    But Clickjacking is possible since an absence of frame-ancestors directive.
    Form redirection is also possible, since there is no form-action directive.

    Pls note that script-src 'report-sample'; completely forbids any script on page, and style-src 'report-sample'; forbids any CSS style.
    Thus, it will be a site with default styles built into the browser and no interactive interaction with visitors.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2