Source Map feature allows you to send any request you desire regardless of whether it respects the current CSP rules set under the main domain or not, thus bypassing them completely!

It also allows you to downgrade a secure connection and send a request to http: even if the main page was loaded via https:!

In this example, the server responded with 'Content-Security-Policy', "default-src 'unsafe-inline'" and yet the browser successfully sends a request to!
Thus, both bypassing the current CSP rules (by sending a request to where is the only allowed origin) and successfully sending an SSL downgraded request (since main page is loaded via https: but the malicious request was made via http:)
You can tell it really worked by looking at the logs the server produces and seeing for yourself the Source Map request made it to the server, whereas the normal request failed to bypass the CSP rules!
Notice the RequestID query param, you can see its existence in the logs in both the requests and the responses, thus telling which request managed to get a response back to the browser and which didn't!

back to menu