CSP Bypass Cheat Sheet
Read the policy first
Look for: script-src, default-src, object-src, base-uri, require-trusted-types-for.
Common weak configurations
| Signal | Often allows |
|---|---|
'unsafe-inline' | Inline scripts, many event handlers |
'unsafe-eval' | eval, Function, some frameworks |
Missing object-src | Plugin/object vectors |
strict-dynamic + nonce leak | Scripts loaded by trusted scripts |
| JSONP / allowlisted CDNs | Script gadgets on third-party hosts |
Vectors to try (authorized targets only)
- JSONP endpoints on allowlisted domains
- Angular / Vue template injection when CSP allows inline templates
- Base tag to change script origins (
base-uriabsent) - DOM clobbering to bypass script gadgets
- CSS injection when
style-srcis loose (legacy IE / old browsers)
Use the in-app CSP analyzer to map categories before picking templates.