[ubernostrum]

It still doesn't work, though. Taking the full scenario into effect, it's:

1. If the site has a CSP allowing JavaScript from "self", and

2. If the site has an upload feature hosted on the domain of "self", and

3. If the site gives someone the ability to inject a script tag pointing to an arbitrary target,

4. Then it's exploitable.

But conditions 1-3 effectively are the "you've already been rooted" case. This is a technically-interesting way to exploit the fact, but in itself is not the vulnerability; it's simply exploiting a vulnerability that was already there and wide open.

[inian]

CSP is supposed to protect the website when there is a xss in it as a defence in depth solution. So a CSP bypass is when, it fails to do so. #1 - this is true for any site using CSP with javascript. #3 - the site is not giving the ability to inject the script tag. It is just an xss vulnerability which should have been caught by CSP, but in this case it doesnt.