Privilege Escalation via Multiple CSP Fallbacks

Content Security Policy

The policy applied to this page is:

default-src 'self' https:;
style-src 'self';

Attack

This page allows script loading from tracker-script.pages.dev only through default-src fallback. It does not define frame-src or worker-src, so those fall back to the same permissive rule.

The script domain loads:

Legitimate: visible script execution (logs + DOM update)
Abuse: loads an iframe and a Web Worker from tracker2.pages.dev, which is intended only for media

Flow Summary
tracker-script.pages.dev → Loads a visible script (legitimate)
tracker-script.pages.dev → Injects iframe from tracker2.pages.dev (via frame-src → default-src)
tracker-script.pages.dev → Starts Web Worker from tracker2.pages.dev (via worker-src → default-src)

This demonstrates how multiple third-party roles are collapsed when CSP directives are omitted, granting unintended execution power via fallback.