Hi, i recently came accross the payload for CSP bypasses using the scheme-src
data . I think that the current payload is unnecessary complex in regards of the actuall issue of the vulnerable CSP. Therefore i would propose to change the payload to the most bare needed complexity and add the mozzilla documentation to it, where the issue is also stated:
<scheme-source> data: Allows data: URIs to be used as a content source. This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts.
- M XSS Injection/README.md (4)