Dress Code – The Talk

This report documents research into Content Security Policy (CSP) bypasses: the author identifies eight third-party services (including Hotjar, Facebook, jsDelivr, AWS, Azure, CloudFront, Heroku, and Firebase) that can be abused to exfiltrate data or execute scripts, provides proof-of-concept attacks using a lab site, and presents a large-scale scan of the top 1M sites showing low CSP adoption (~10% overall, higher among top sites) and common misconfigurations (widespread use of unsafe-inline/unsafe-eval, missing report-to/base-uri, orphan domains, and lenient scheme allowances); the report concludes with practical recommendations to improve CSP deployment and monitoring.