A pentester's frustrating CTF experience with Content Security Policy (CSP) reveals why this browser security feature often fails in practice. The author discovered that even when CSP is configured, subtle misconfigurations can leave applications vulnerable to cross-site scripting attacks.

CSP works like a nightclub bouncer, with the server sending policies that tell browsers which scripts to trust. The policy uses directives like script-src and default-src to control resource loading, but missing directives or overly permissive settings can completely undermine security. When default-src isn't specified, browsers apply no restrictions at all.

Common vulnerabilities include unsafe-inline directives that allow traditional XSS techniques, missing base-uri directives enabling URL redirection attacks, and wildcard subdomains that grant attackers access through any compromised subdomain. The article details how pentesters can identify these weaknesses by examining response headers and testing for missing object-src controls or overly broad https: permissions.