XXS and Content Security Policy (CSP)

xvan7hu · February 23, 2016, 12:10pm

Hi everyone,
As introduction here, Content Security Policy - OWASP Cheat Sheet Series

Content Security Policy (CSP) is an effective “defense in depth” technique to be used against content injection attacks. It is a declarative policy that informs the user agent what are valid sources to load from.

Well, if I have a CSP of this type:

Content-Security-Policy: script-src ‘self’ https://apis.google.com

In this case, e.g. I take ‘self’ as ‘abc.com’

If I have and XSS of this type:

It will be ‘refused’ to execute by CSP.

But, what if the XSS is persistent?, and it will be served from the ‘self’, I don’t think CSP will ‘refuse to execute’ it in anyway.

Is my thinking right?, please help me clarify this, thank you all.

xvan7hu · February 23, 2016, 12:14pm

Well, seems the filter has filtered my XSS code

ctus · March 17, 2016, 9:41am

should be markdown mate three of these at the beginning ``` and end

Topic		Replies	Views
XSS vs X-XSS and CSP Starter Zone	4	1293	December 25, 2019
How to make more harmful injection in img src=" " with no CSP and trigger js in IMG tag Web Hacking	4	5937	May 7, 2019
Is JSONP callback XSS a thing? Web Hacking	0	3621	May 29, 2018
When does an XSS become a Self-XSS? Starter Zone	5	12526	September 1, 2015
Xss reflected regarding Starter Zone	8	1600	July 29, 2020

XXS and Content Security Policy (CSP)

Related Topics