CSP
Règles
Sources
| Source | Description |
|---|---|
| default-src | This acts as a catchall for everything else |
| script-src | Describes where we can load javascript files from |
| style-src | Describes where we can load stylesheets from |
| img-src | Describes where we can load images from |
| connect-src | Applies to AJAX and WebSocket’s |
| font-src | Describes where we can load fonts from |
| object-src | Describes where we can load objects from |
| media-src | Describes where we can load audio and video files from |
| frame-ancestors | Describes which sites can load this site in an iframe |
Règle associé
| Action | Description |
|---|---|
| * | Load resources from anywhere. |
| ‘none’ | Block everything |
| ‘self’ | Can only load resources from same origin. |
| data: | Can only load resources from data schema (Base64) |
| something.example.com | Can only load resources from specified domain |
| https: | Can only load resources over HTTPS |
| ‘unsafe-inline' | Allows inline elements (onclick, tags, javascript:,) |
| ‘unsafe-eval’ | Allows dynamic code evaluation (eval() function) |
| ‘sha256-‘ | Can only load resources if it matches the hash |
| ‘nonce-‘ | Allows an inline script or CSS to execute if the script tag contains a nonce attribute matching the nonce specified in the CSP header. |
Bypass
Tags
JSONBee est un repo contenant une liste d'injections en abusant des tags autorisés.
Si la CSP autorise les domaines google, il est possible d'injecter du coda via un tag hébergé chez google avec leur produit gratuit Google Tag Manager.