CSP bypass 'unsafe-eval' not working

[tuyenee]

Relating this part of HackTricks.

The bypass shown here doesn't work on either the latest Chrome or Firefox. The reason is for "data URI" to be evaluated, the 'data:' source needs to be exclusively allowed in the CSP setting. It has nothing to do with 'unsafe-eval' here.

PoC:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Document</title>
    <meta http-equiv="Content-Security-Policy" content="script-src https://google.com 'unsafe-eval';">
</head>
<body>
    <script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>
</body>
</html>

The above PoC results in Refused to load the script 'data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ==' because it violates the following Content Security Policy directive: "script-src https://google.com 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

[0x123456789]

Same

[Dingjie-Daniel-Yang]

Just want to confirm, I tested under all major browser and this bypass does not seem working

[carlospolop]

Thanks guys!! I have added a note in hacktricks. Sorry for the waiting, next time feel free to send a PR about this, we check those much frequently than issues