Script Src Wildcard Scenario

Content-Security-Policy: script-src 'self' https://google.com https: data *

This page allows scripts from any source. Try injecting a script:

Submit