# Content Security Policy (CSP) Bypass
🎙️ HackTricks LIVE TwitchWednesdays 5.30pm (UTC) 🎙️ -🎥 Youtube 🎥
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
[**Follow HackenProof**](https://bit.ly/3xrrDrL) **to learn more about web3 bugs**
🐞 Read web3 bug tutorials
🔔 Get notified about new bug bounties
💬 Participate in community discussions
## What is CSP
Content Security Policy or CSP is a built-in browser technology which **helps protect from attacks such as cross-site scripting (XSS)**. It lists and describes paths and sources, from which the browser can safely load resources. The resources may include images, frames, javascript and more. Here is an example of resources being allowed from the local domain (self) to be loaded and executed in-line and allow string code executing functions like `eval`, `setTimeout` or `setInterval:`
Content Security Policy is implemented via **response headers** or **meta elements of the HTML page**. The browser follows the received policy and actively blocks violations as they are detected.
Implemented via response header:
```http
Content-Security-policy: default-src 'self'; img-src 'self' allowed-website.com; style-src 'self';
```
Implemented via meta tag:
```markup
```
### Headers
* `Content-Security-Policy`
* `Content-Security-Policy-Report-Only` This one won't block anything, only send reports (use in Pre environment).
## Defining resources
CSP works by restricting the origins from where active and passive content can be loaded from. It can additionally restrict certain aspects of active content such as the execution of inline javascript, and the use of `eval()`.
```
default-src 'none';
img-src 'self';
script-src 'self' https://code.jquery.com;
style-src 'self';
report-uri /cspreport
font-src 'self' https://addons.cdn.mozilla.net;
frame-src 'self' https://ic.paypal.com https://paypal.com;
media-src https://videos.cdn.mozilla.net;
object-src 'none';
```
### Directives
* **script-src**: This directive specifies allowed sources for JavaScript. This includes not only URLs loaded directly into elements, but also things like inline script event handlers (onclick) and XSLT stylesheets which can trigger script execution.
* **default-src**: This directive defines the policy for fetching resources by default. When fetch directives are absent in the CSP header the browser follows this directive by default.
* **Child-src**: This directive defines allowed resources for web workers and embedded frame contents.
* **connect-src**: This directive restricts URLs to load using interfaces like fetch, websocket, XMLHttpRequest
* **frame-src**: This directive restricts URLs to frames that can be called out.
* **frame-ancestors**: This directive specifies the sources that can embed the current page. This directive applies to [``](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/frame), [`