Android 12 waiting

Hi, i recently came accross the payload for CSP bypasses using the scheme-src data . I think that the current payload is unnecessary complex in regards of the actuall issue of the vulnerable CSP. Therefore i would propose to change the payload to the most bare needed complexity and add the mozzilla documentation to it, where the issue is also stated:

<scheme-source>
    data: Allows data: URIs to be used as a content source. This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts.

You can view, comment on, or merge this pull request online at:

Commit Summary

File Changes

Patch Links:


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.