CSP bypass TL;DR: Loose source lists, script-gadgets, jsonp endpoints, or base-uri abuse defeat the policy. Stub — to be filled in. What it is TODO Preconditions / where it applies TODO Technique TODO Detection and defence TODO References https://portswigger.net/research/bypassing-csp-with-policy-injection