CSP Playground

Welcome to the CSP Playground. Here you can define your own Content-Security Policy and test it against various code injections. The attack string will be reflected on the rendered page without encoding. Please note that certain CSPs might break some of the functionality/design on this page (bootstrap etc.)

Currently active CSP:

none

Attack String:

Possible demos:

Enabling inline scripts: ShowHide
By allowing inline scripts, an attacker can simply inject JavaScript code directly into the website and execute it.
default-src 'self'; script-src 'self' 'unsafe-inline'
<script>alert(1)</script>
Enabling data URIs: ShowHide
This CSP allows the usage of data: URIs as part of the source attribute for scripts and other resources. This can be abused to inject JavaScript into the page.
default-src 'self'; script-src 'self' data:
<script src="data:;base64,YWxlcnQoImRhdGEtc291cmNlIik="></script>
Whitelisting with hashes: ShowHide
Hashes can be used to whitelist specific inline script blocks.
default-src 'self'; script-src 'self' 'sha256-IBpF0Gyh/rgO3UX+i5az7EuonaUVF7gzZGuUrZeI7hI='
<script>alert("hash-whitelisted")</script>
Whitelisting with nonces: ShowHide
Nonces can be used to whitelist specific scripts. Be sure to generate a new random, non-predictable nonce for every page!
default-src 'self'; script-src 'self' 'nonce-r4nd0m'
<script nonce="r4nd0m">alert('nonce-whitelisted')</script>
Scripts loading other scripts: ShowHide
Trust is not automatically propagated. If a whitelisted script loads another script resource, the second resource is blocked. The script referenced below will try to load a second script dynamically but will fail to do so, as the second resource is not whitelisted.
default-src 'self'; script-src 'self' 'nonce-3xt3rn4l'
<script nonce="3xt3rn4l" src="https://a.compass-demo.com/csp_playground/static/remote2.js"></script>
Propagating trust : ShowHide
The 'strict-dynamic' directive can be used in combination with nonces or hashes to propagate the trust to further scripts. The script referenced below can therefore dynamically load another script from a different source. This only works if the script is not parser-inserted (document.createElement('script')). However, keep in mind that all explicit whitelisted sources like 'self' or specific hosts will be disabled.
default-src 'self'; script-src 'self' 'nonce-pr0p4g4t3d' 'strict-dynamic'
<script nonce="pr0p4g4t3d" src="https://a.compass-demo.com/csp_playground/static/remote2.js"></script>
Breaking trust propagation: ShowHide
Propagation of trust via 'strict-dynamic' does not work for parser-inserted scripts. If the whitelisted script tries to load another script via document.write('<script src="...">'), this will fail.
default-src 'self'; script-src 'self' 'nonce-p4rs3r-1ns3rt3d' 'strict-dynamic'
<script nonce="p4rs3r-1ns3rt3d" src="https://a.compass-demo.com/csp_playground/static/remote3.js">