Safari Security Vulnerability - CSP policy bypassed script on Safari while chrome successfully blocking it.

on our web pages we have allowed certain sources of scripts though content-security-policy meta tag which is working fine as expected on Chrome browser and on Internet Edge.

However there is a script called morosa.top when it inserted in our html page, safari is not able to block it while it was supposed to block.

if this script gets executed it start taking screenshots of screen and post it to hacker.

Please check this could be a potential issue.

[Edited by Moderator]

DevForums is primarily focused on helping developers use Apple’s APIs and tools. If you’re goal is to report a potential security vulnerability, you have a couple of options:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Safari Security Vulnerability - CSP policy bypassed script on Safari while chrome successfully blocking it.
 
 
Q