its a CSP bypass in the sense of a user being able to send his own google analytics URL as an image tag, which is usually a trusted source in CSP
If my XSS-able form field has a length limit which truncates a long inline payload, and you replace it with <script src=//evil>, would you consider your exploit a "length limit bypass"?
-
-
Yes, that's the idea.
-
This seems to lose a fair amount of the usual meaning because you "bypass" a lot of things not reasonably meant to be security controls. But... ¯\_(ツ)_/¯
-
English is hard, what can I say :-)
-
Maybe evasion is more fitting? You evade the filter. This doesnt mean the filter sucks, just that you ignore it, or walk past it. If you evade a lock, you didn't compromise the lock's mechanism security.
-
But then, I bypass traffic by taking a shorter route, rather than driving through it, so I don't know… I give up.
-
Makes sense -- I bypass CSP by watching a movie on a Friday night and not worrying about XSS ;-)
-
Oh I know. "avoid"
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.