Today I created a web application. I'm using this csp to avoid xss attacks. CSP: Content-Security-Policy", `child-src 'none'; connect-src 'none'; default-src 'none'; font-src 'none'; frame-src 'none'; img-src 'none'; manifest-src 'none'; media-src 'none'; object-src 'none'; prefetch-src 'none'; script-src 'report-sample'; style-src 'report-sample'; worker-src 'none'; Does anyone know if its still possible to xss? If so, how? My web app is an extremely simple pastebin website.
Asked
Active
Viewed 212 times
0
user259894
- 21
- 2
-
1`script-src 'report-sample'` isn't that essentially not restricting script at all, but only report violations (there are non though since there are no restrictions). Also, why do you explicitly set all the policies explicitly to `'none`' given that you already have a `default-src 'none'`? – Steffen Ullrich Jun 13 '21 at 18:13
-
I have no idea, the more the better i guess – user259894 Jun 13 '21 at 18:22
-
Essentially, your CSP disallows everything. – Jun 14 '21 at 11:54
-
A good resource is https://csp-evaluator.withgoogle.com/ – jub0bs Jul 19 '21 at 10:36
-
Still an experiment, but a successful one: [trusted types](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types). – jub0bs Jul 19 '21 at 10:43
1 Answers
2
It's not clear what you mean by bypassing CSP. XSS (injecting user controlled HTML code) is possible in case of rendering unescaping user input, but it is impossible to exploit XSS, since you have completely prohibited styles and scripts.
But Clickjacking is possible since an absence of frame-ancestors directive.
Form redirection is also possible, since there is no form-action directive.
Pls note that script-src 'report-sample'; completely forbids any script on page, and style-src 'report-sample'; forbids any CSS style.
Thus, it will be a site with default styles built into the browser and no interactive interaction with visitors.
granty
- 181
- 3