Prevent auto clicked link XSS attack using CSP

Question

Whilst using CSP for a slightly different purpose (sandboxing) I realized that a very simple auto clicked link seems to bypass even relatively strict CSP. What I am describing i

Answer 1

Content Security Policy is for the security of the page itself. Navigating to another page is not a bypass or something that concerns CSP. CSP is only concerned with your page and what it can do. It's also not about restricting the utility of the browser for the end user (like the ability to install plugins or open links).

---

default-src 'none';

This tightens the policy to allow no XHR / Fetch / WebSockets / CSS / Font / JavaScript / Plugin content from anywhere. These all have their respective properties but in their absence the default property is used. You have not attempted to do any of these in your javascript.

script-src 'unsafe-inline';

This relaxes the policy to allow any javascript that is embedded into the page to be used. This includes onclick/onhover and that whole family of unsafe attributes. To quote the spec:

In either case, authors SHOULD NOT include either 'unsafe-inline' or data: as valid sources in their policies. Both enable XSS attacks by allowing code to be included directly in the document itself; they are best avoided completely.

Instead of this, if you feel the need to embed content in the document itself for whatever reason, there are hash and nonce values that can be placed in your policy string to whitelist your inline scripts.