diff --git a/content/Etudiants/zz2-f5-websec.md b/content/Etudiants/zz2-f5-websec.md
index db1252f68788d5fb23d97931d97683824c76401d..5594c35da1cd9df46129ae858f0458dff14fc143 100644
--- a/content/Etudiants/zz2-f5-websec.md
+++ b/content/Etudiants/zz2-f5-websec.md
@@ -168,15 +168,15 @@ Tags: cours
     </a>
     <ul>
       <li>
-        <a href="(slides/1337/csp.html"
+        <a href="slides/1337/csp.html"
           class="customizable">
-          CSP <i class="fas fa-hammer"></i>
+          CSP
         </a>  
       </li>
       <li>
-        <a href="(slides/1337/sop.html"
+        <a href="slides/1337/sop.html"
           class="customizable">
-          SOP/CORS <i class="fas fa-hammer"></i>
+          SOP/CORS
         </a>  
       </li>
     </ul>
@@ -224,6 +224,8 @@ Tags: cours
 <hr />
 
 ## Installer DVWA sur sa VM perso
+
+* [https://github.com/digininja/DVWA#linux-packages](https://github.com/digininja/DVWA#linux-packages)
 ## RecrÃ©er l'environnement de cours dans VirtualBox
 
 * testÃ© avec [VirtualBox 5.2.18](https://download.virtualbox.org/virtualbox/5.2.18/virtualbox-5.2_5.2.18-124319~Ubuntu~bionic_amd64.deb) sous [Ubuntu Bionic](http://releases.ubuntu.com/bionic/)
diff --git a/content/slides/1337/md/csp.md b/content/slides/1337/md/csp.md
index c9ad867f7dee1a9ae9368b1c58129a9b914cce70..29cef1550d787f369195d53892bca11ea28bfb7e 100644
--- a/content/slides/1337/md/csp.md
+++ b/content/slides/1337/md/csp.md
@@ -3,7 +3,7 @@
 ## a.k.a. Content Security Policy
 
 
-## [<i class="fa fa-medkit"></i> **CSP**: Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives)
+### [<i class="fa fa-medkit"></i> **CSP**: Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives)
 
 * En-tÃªte renvoyÃ©e cÃ´tÃ© serveur
   * protÃ©ger son contenu
@@ -12,10 +12,12 @@
     * quelles tentatives ont Ã©tÃ© menÃ©es
 
 
-## [<i class="fa fa-medkit"></i> **CSP**: Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives)
+### [<i class="fa fa-medkit"></i> **CSP**: Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives)
 
 ```http
-Content-Security-Policy: script-src 'self' https://apis.google.com; frame-src 'none'
+Content-Security-Policy:
+  script-src 'self' https://apis.google.com; 
+  frame-src 'none'
 ```
 
 * informera le browser que
@@ -23,7 +25,7 @@ Content-Security-Policy: script-src 'self' https://apis.google.com; frame-src 'n
   * les balises iframes ne doivent pas Ãªtre interprÃ©tÃ©es
 
 
-## [<i class="fa fa-medkit"></i> **CSP**: Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives)
+### [<i class="fa fa-medkit"></i> **CSP**: Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives)
 
 ![CSP](images/xss/csp.png "CSP")<!-- .element style="text-align: center" -->
 
@@ -34,3 +36,23 @@ Note:
 - couvre Ã©galement le cas d'une iframe qui recouvre une page lÃ©gitime
 
 
+### <i class="fa-solid fa-bomb"></i> CSP / low
+
+```http
+Content-Security-Policy: 
+  script-src 'self' https://pastebin.com hastebin.com 
+  www.toptal.com example.com code.jquery.com 
+```
+
+* Ã©criture d'un fichier js sur l'hÃ´te local via une autre faille [upload](upload.html) par exemple
+* exÃ©cution directement sur [https://pastebin.com/raw/SAB3JTJc](https://pastebin.com/raw/SAB3JTJc)
+  * ne fonctione pas depuis Firefox 72 car l'entÃªte [X-Content-Type-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options) force la dÃ©sactivation du [MIME sniffing](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types#mime_sniffing)
+    rÃ©ponse pastebin
+    ```http
+    ..
+    X-Content-Type-Options: nosniff
+    ...
+    ```
+    * https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md
+    * https://www.komodosec.com/post/mime-sniffing-xss
+    * https://dev.to/ms_74/what-is-corb-3m3f
\ No newline at end of file
diff --git a/content/slides/1337/md/sop.md b/content/slides/1337/md/sop.md
index 457770d2889e1c7e89474b13c820d7ee7afd8d90..8b8a6c291a79e512a6582a4a2830778105d41f30 100644
--- a/content/slides/1337/md/sop.md
+++ b/content/slides/1337/md/sop.md
@@ -2,6 +2,7 @@
 
 ## a.k.a Same Origin Policy
 
+
 ## [<i class="fa fa-medkit"></i> **SOP**: Same Origin Policy](https://developer.mozilla.org/fr/docs/Web/JavaScript/)
 
   * concerne *XMLHttpRequest*