Do object-src and base-uri bypasses still work on Content-Security-Policies?
I’m assessing the security level of a webapp and one of the test cases is the CSP header. I always use the Google CSP evaluator to assess the header. Let’s consider the following CSP header:
Content-Security-Policy:
img-src ‘self’ https://… Continue reading Do object-src and base-uri bypasses still work on Content-Security-Policies?