Note

web javascript csp-bypass importmap speculationrules browser-quirks

Test unusual script types whose CSP handling has had browser-version-dependent corners when classic inline scripts are blocked.

importmap / speculationrules as CSP Bypass Surfaces to Watch

CSP handling for unusual script types has had browser-version-dependent corners. They are worth testing when classic inline script paths are shut down.

Why It Matters

A fixed bot browser version may treat type="importmap" or type="speculationrules" differently from normal inline scripts under CSP.

Vulnerable Pattern

Sinks that allow arbitrary HTML tags into a page with CSP, especially when the browser version is known or fixed by the bot.

Exploit Flow

Compare policy behavior on normal inline scripts vs. type="importmap" and type="speculationrules" tags in the same sink.

Common Blockers

Modern Chromium behavior may already close the gap you hoped to exploit.

PoC Sketch

<script type="importmap">{}</script>
<script type="speculationrules">{}</script>
<!-- compare CSP behavior against normal inline scripts -->

Good Situations To Use It

You can inject arbitrary tags but CSP blocks inline scripts.
The bot's browser version is known/fixed.
Classic inline-script paths are exhausted.

Sources

fcsc2026/web/shrimp_saver_revenge