A policy is only as strong as its weakest source. This lab replays the five bypass patterns that show up most often in real engagements, with editable policy text and a concrete payload under test.
Host allowlists trust the entire origin. If that origin serves attacker-controlled JS, the bypass lands.
Reference: PortSwigger, 'Bypassing CSP with JSONP endpoints'
The payload host is explicitly or implicitly trusted, so CSP sees it as legitimate script even though the endpoint returns attacker-controlled JavaScript.
fix: Move away from host allowlists for script execution. Prefer nonce + strict-dynamic and remove JSONP-capable hosts.
Without report-uri or report-to, CSP violations happen silently. You won't see in-the-wild XSS attempts or accidental policy breakage.
fix: Add a report-to endpoint (modern) or report-uri (legacy). Even logging to your own server is a huge upgrade.
Optional. If your app may load from a mix of http:// and https:// origins, this directive auto-upgrades requests, blocking mixed content.
fix: Add upgrade-insecure-requests if you serve over HTTPS and may have legacy http:// references.