Skip to content

CSP

Validateur de politique CSP

Règles

Sources

Source Description
default-src This acts as a catchall for everything else
script-src Describes where we can load javascript files from
style-src Describes where we can load stylesheets from
img-src Describes where we can load images from
connect-src Applies to AJAX and WebSocket’s
font-src Describes where we can load fonts from
object-src Describes where we can load objects from
media-src Describes where we can load audio and video files from
frame-ancestors Describes which sites can load this site in an iframe

Règle associé

Action Description
* Load resources from anywhere.
‘none’ Block everything
‘self’ Can only load resources from same origin.
data: Can only load resources from data schema (Base64)
something.example.com Can only load resources from specified domain
https: Can only load resources over HTTPS
‘unsafe-inline' Allows inline elements (onclick, tags, javascript:,)
‘unsafe-eval’ Allows dynamic code evaluation (eval() function)
‘sha256-‘ Can only load resources if it matches the hash
‘nonce-‘ Allows an inline script or CSS to execute if the script tag contains a nonce attribute matching the nonce specified in the CSP header.

Bypass

Tags

JSONBee est un repo contenant une liste d'injections en abusant des tags autorisés.

Si la CSP autorise les domaines google, il est possible d'injecter du coda via un tag hébergé chez google avec leur produit gratuit Google Tag Manager.

Sources