Arbitrary Parentheses-less XSS
against strict CSP policies
In the past years, an interesting XSS vector was put on a table by some researchers, and that is Parentheses-less XSS.
It’s not a mystery that there are known payloads that will execute arbitrary XSS with limited charsets. One of the simplest payloads out there is
location=name
which with adequate window.name, will redirect to ‘javascript:alert()’ URL and execute arbitrary XSS stored in the window’s name.