A Cyber Security Researcher named Omar shared bug bounty tips on their LinkedIn account about how to BYPASS CSP. He mentioned that bypassing the Content Security Policy (CSP) is possible when a website allows “github.com” in a script-src or default-src directive.
An example Proof of Concept (POC) looks something like this:
In real-world scenarios, the GitHub link can be replaced with a link to the raw GitHub location of a malicious script.
This tip is shared by octagon-network.