JavaScript Redirect

With Optional Content Security Policy and "X-XSS-Protection" Header(s)

(see tables at the bottom of this page)

"Spartan"/"Edge" Update:

Microsoft's "Spartan"/"Edge" browser respects the Content Security Policy header. Properly utilized, it will prevent this type of injection from working.

This does not fix the underlying issue, and expecting every website everywhere to add correctly formatted Content Security Policy HTTP response headers is unrealistic.


If you have your own external JavaScript (.js) or plain text file you wish to use, enter its URL/URI here:


The injection lands inside a JavaScript redirect. The injected JavaScript would normally execute when the user is redirected.

NOTE: This does not work in Internet Explorer 8, however it does work in Internet Explorer 9, 10, and 11.

JavaScript Redirect

Source of "javascriptRedirectorPage.php"

Source of "javascriptRedirectLandingPage.php"

Try this partially URL-encoded injection:




Table 1 of 2: To add the Content Security Policy header of choice, refer to the following table:

Content Security Policy Options
CSP header(s) desired HTTP Response Header(s) Query string parameter/value pair Add to injection
None N/A N/A
All 3 CSP Headers Content-Security-Policy: script-src 'self';
X-Content-Security-Policy: script-src 'self';
X-Webkit-CSP: script-src 'self';
csp=0
Just the Official CSP Header (Chrome 25+, Firefox 23+, Opera 19+, "Spartan"/Edge") Content-Security-Policy: script-src 'self'; csp=1
Just the header recognized by Internet Explorer 10 & 11 X-Content-Security-Policy: script-src 'self'; csp=2
Just the header recognized by Chrome 14 through 24 & Safari 6+ X-Webkit-CSP: script-src 'self'; csp=3
Both the Official and Internet Explorer-recognized headers Content-Security-Policy: script-src 'self';
X-Content-Security-Policy: script-src 'self';
csp=4
Both the Official and Chrome 14 through 24 & Safari 6+-recognized headers Content-Security-Policy: script-src 'self';
X-Webkit-CSP: script-src 'self';
csp=5
Both the Internet Explorer-recognized and Chrome 14 through 24 & Safari 6+-recognized headers X-Content-Security-Policy: script-src 'self';
X-Webkit-CSP: script-src 'self';
csp=6


Table 2 of 2: To add the X-XSS-Protection header of choice, refer to the following table:

X-XSS-Protection Options
X-XSS-Protection desired HTTP Response Header Query string parameter/value pair Add to injection
None N/A N/A
Disable XSS protection X-XSS-Protection: 0 xph=0
Enable XSS protection X-XSS-Protection: 1 xph=1
Enable XSS protection, block rendering of the page X-XSS-Protection: 1; mode=block xph=2

Back to main page