Is it possible to bypass this csp?
Today I created a web application. I'm using this csp to avoid xss attacks. CSP:
Content-Security-Policy", `child-src 'none'; connect-src 'none'; default-src 'none'; font-src 'none'; frame-src 'none'; img-src 'none'; manifest-src 'none'; media-src 'none'; object-src 'none'; prefetch-src 'none'; script-src 'report-sample'; style-src 'report-sample'; worker-src 'none';Does anyone know if its still possible to xss? If so, how? My web app is an extremely simple pastebin website.
inna last edited by
It's not clear what you mean by bypassing CSP. XSS (injecting user controlled HTML code) is possible in case of rendering unescaping user input, but it is impossible to exploit XSS, since you have completely prohibited styles and scripts.
But Clickjacking is possible since an absence of
Form redirection is also possible, since there is no
Pls note that
script-src 'report-sample';completely forbids any script on page, and
style-src 'report-sample';forbids any CSS style.
Thus, it will be a site with default styles built into the browser and no interactive interaction with visitors.