TL;DR The Google developer documentation includes CSP examples which use domain wildcards (which have been widely cut & pasted), and additionally there are numerous endpoints within the Google eTLDs which are vulnerable to Javascript XSS.
Oh dear. ;)
<script src=https://www.google.com/complete/search?client=firefox&q=why&jsonp=%28alert%281%29%29></script>
"they have updated the CSP documentation so that it no longer has the wildcards": which documentation? For maps, they still show the wilcards
haha, not all the docs then ;)
Oh dear. ;)
<script src=https://www.google.com/complete/search?client=firefox&q=why&jsonp=%28alert%281%29%29></script>
"they have updated the CSP documentation so that it no longer has the wildcards": which documentation? For maps, they still show the wilcards
haha, not all the docs then ;)