CSP not consistently applied
Unknown
Vulnerability Details
Also thought I'd formally submitted the issue we discussed yesterday, that sometimes the CSP response headers served are missing for browsers that don't support them, but then the page without these headers can be cached by Cloudflare. This makes it easier to mount a XSS attack.
Actions
View on HackerOneReport Stats
- Report ID: 321
- State: Closed
- Substate: resolved
- Upvotes: 28