http:even if the main page was loaded via
In this example, the server responded with
'Content-Security-Policy', "default-src 'unsafe-inline' https://px-blog-source-map-anti-debug.appspot.com"
and yet the browser successfully sends a request to
Thus, both bypassing the current CSP rules (by sending a request to
px-blog-source-map-anti-debug.appspot.com is the only allowed origin)
and successfully sending an SSL downgraded request (since main page is loaded via
https: but the malicious request was made via
You can tell it really worked by looking at the logs the server produces and seeing for yourself the Source Map request made it to the server, whereas the normal request failed to bypass the CSP rules!
RequestID query param, you can see its existence in the logs in both the requests and the responses, thus telling which request managed to get
a response back to the browser and which didn't!
back to menu