On this page, I'd like to collect a set of CSP bypasses related to nonces. CSP policies using nonces are considered very strong in terms of security. However, there are many (sometimes unusual) situations in which nonces can be bypassed.
It is still unclear to me, if these bypasses have a practical impact on CSP's protective capabilities. Nevertheless, I'd like to explore these situations to better understand the boundaries of CSP.
Furthermore, I'd like to encourage other researchers to have a closer look at CSP nonces.
Bypassing script nonces via the browser cache (DOM-based XSS) Bypassing script nonces via the BFCache (by @arturjanc ) Bypassing script nonces via partial markup injections Bypassing script nonces via event handlers and changeable sources Bypassing script nonces via DOM XSS (by @sirdarckcat ) Bypassing script nonces via CSS I (by @sirdarckcat ) Bypassing script nonces via CSS II (by @sirdarckcat ) Bypassing script nonces via SVG set tags (by @sirdarckcat ) Bypassing script nonces via SVG animate tags (by @0x6D6172696F ) Bypassing script nonces via XSLT (by @sirdarckcat ) Bypassing script nonces via base tags (by @jackmasa ) Bypassing script nonces via CLOSURE_BASE_PATH (by @sirdarckcat ) Bypassing script nonces by predicting random numbers Bypassing script nonces by injecting into a URL of a nonced script Bypassing script nonces by injecting into a nonced script
