Hi everyone,
As introduction here, Content Security Policy - OWASP Cheat Sheet Series
Content Security Policy (CSP) is an effective “defense in depth” technique to be used against content injection attacks. It is a declarative policy that informs the user agent what are valid sources to load from.
Well, if I have a CSP of this type:
Content-Security-Policy: script-src ‘self’ https://apis.google.com
In this case, e.g. I take ‘self’ as ‘abc.com’
If I have and XSS of this type:
It will be ‘refused’ to execute by CSP.
But, what if the XSS is persistent?, and it will be served from the ‘self’, I don’t think CSP will ‘refuse to execute’ it in anyway.
Is my thinking right?, please help me clarify this, thank you all.