Content Security Policy (CSP)

CSP is a mitigation technique preventing unwanted scripts from being executed in case of an XSS vulnerability on a website.

CSP may be defined via a the Content-Security-Policy HTTP response header, or alternatively using the HTML <meta> tag as done on this site (note that not all features are supported when using the <meta> tag).

The CSP for this website is:

Your input will get printed here, unescaped (suppose this was some sort of XSS vulnerability):
Your input:

Here are some things you might wanna try out:

• <b>Hello World</b>
• <script>alert("will not work!")</script>
• <script>alert("works due to correct hash!")</script>
• <script nonce="abcd">alert("works!")</script>
• <script nonce="wxyz">alert("works too!")</script>
• <script nonce="foo">alert("will not work!")</script>
• <img src="" onerror="alert('will not work!')">
• <img src="http://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png" />
• <img src="https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png" />
• <img src="http://de.wikipedia.org/static/images/project-logos/dewiki-2x.png" />
• <img src="https://de.wikipedia.org/static/images/project-logos/dewiki-2x.png" />
• This works only because 'strict-dynamic' is set: <script nonce="wxyz">s=document.createElement("script");s.innerText="alert('works!')";document.body.appendChild(s);</script>
• <script nonce="abcd">document.write('<script nonce="wxyz">alert(1337)<'+'/script>');</script>
• <script nonce="abcd">document.write('<script>alert(1337)<'+'/script>');</script>