Closed Lednerb closed 6 years ago
Header: Content-Security-Policy: #default-src 'self'; font-src 'self'
Content-Security-Policy: #default-src 'self'; font-src 'self'
The # sign is illegal,
#
Browser says: Content Security Policy: Unbekannte Direktive '#default-src' kann nicht verarbeitet werden
Content Security Policy: Unbekannte Direktive '#default-src' kann nicht verarbeitet werden
Rating rates:100
FIX: Only allow a whitelist of directives and values such as self or none or URLs, without wildcards.
self
none
Maybe parse CSP according to the/some standard?
https://www.w3.org/TR/CSP/#serialized-csp
Working on it.
Done by https://github.com/SIWECOS/HSHS-DOMXSS-Scanner/commit/11553d4c23722b6625b6e71dbd73559a4fa90eb4
Header:
Content-Security-Policy: #default-src 'self'; font-src 'self'
The
#
sign is illegal,Browser says:
Content Security Policy: Unbekannte Direktive '#default-src' kann nicht verarbeitet werden
Rating rates:100
FIX: Only allow a whitelist of directives and values such as
self
ornone
or URLs, without wildcards.