Cookie-Based Tracking via CSP Fallback

Image loads enable tracking even when connect-src restricts connections and data sharing

Content Security Policy

The policy applied to this page is:

default-src 'self' https:;
script-src 'self' 'unsafe-inline' https://tracker-script.pages.dev;
style-src 'self'
connect-src 'self' https://google.com;

Attack

A script loaded from tracker-script.pages.dev injects an image from tracker2.pages.dev. While connect-src blocks JS connections, the fallback mechanism allows image loading from any https: domain.

When the image is loaded, tracker2 returns a Set-Cookie header. The cookie is now stored — without executing code or initiating fetch(). For demonstration purposes only we set a session cookie. There is no restriction in the type of cookie set from response headers.