Useless CSP

Aug 31, 2018

The New Yorker

The New Yorker allows 'unsafe-inline' 'unsafe-eval' https: in script-src; it seems that they're only using CSP to transition to https.

$ curl -s -i 'https://www.newyorker.com/' | grep -Ei '^Content-Security-Policy:' | sed "s/;/;\\n/g"
Content-Security-Policy: default-src https: data: 'unsafe-inline' 'unsafe-eval';
 child-src https: data: blob:;
 connect-src https: data: blob:;
 font-src https: data:;
 img-src https: blob: data:;
 media-src blob: data: https:;
 object-src https:;
 script-src https: data: blob: 'unsafe-inline' 'unsafe-eval';
 style-src https: 'unsafe-inline';
 block-all-mixed-content;
 upgrade-insecure-requests;
 report-uri https://capture.condenastdigital.com/csp/the-new-yorker
$

Aug 28, 2018

Google Hangout

Google Hangout (The link might not work, you'll have to check the headers sent for a valid call.) allows https://www.gstatic.com (which hosts AngularJS scripts, allowing comprehensive CSP bypasses).

$ curl -s -i 'https://hangouts.google.com/call/' -b 'yourcookie=yourvalue | grep -Ei '^Content-Security-Policy:' | sed "s/;/;\\n/g"           
script-src 'nonce-49VcM8sdA5vMEYgv3vjKXF5t9Rk' 'self' 'unsafe-eval' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.gstatic.com;
report-uri /_/elUi/cspreport;
$

Aug 26, 2018

Scott Helme

Scott Helme allows cdnjs.cloudflare.com (which hosts AngularJS scripts, allowing comprehensive CSP bypasses), but it's still better than the majority of the websites listed on this website.

$ curl -s -i https://scotthelme.co.uk/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src 'self'; 
script-src 'self' disqus.com c.disquscdn.com platform.instagram.com cdnjs.cloudflare.com scotthelme.disqus.com a.disquscdn.com go.disqus.com platform.twitter.com cdn.syndication.twimg.com syndication.twitter.com; 
style-src 'self' c.disquscdn.com a.disquscdn.com fonts.googleapis.com cdnjs.cloudflare.com platform.twitter.com; 
img-src 'self' data: www.gravatar.com links.services.disqus.com referrer.disqus.com a.disquscdn.com cdn.syndication.twimg.com syndication.twitter.com pbs.twimg.com platform.twitter.com abs.twimg.com; 
child-src www.instagram.com twitter.com fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com www.youtube-nocookie.com; 
connect-src 'self' syndication.twitter.com links.services.disqus.com; 
font-src 'self' cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; 
form-action 'self' syndication.twitter.com; 
upgrade-insecure-requests; 
report-uri https://scotthelme.report-uri.com/r/d/csp/enforce
$

Aug 22, 2018

Steam community

Steam community has 'unsafe-inline' 'unsafe-eval' in script-src, along with https://www.gstatic.com that hosts AngularJS scripts, allowing to bypass script-src anyway.

The same goes for the steam store.

$ curl -s -i https://steamcommunity.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/;/;\\n/g"
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval';
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://steamcommunity-a.akamaihd.net/ https://api.steampowered.com/ https://steamcdn-a.akamaihd.net/steamcommunity/public/assets/ *.google-analytics.com https://www.google.com https://www.gstatic.com https://apis.google.com;
object-src 'none';
connect-src 'self' https://api.steampowered.com/ https://store.steampowered.com/ wss://community.steam-api.com/websocket/ *.google-analytics.com http://127.0.0.1:27060 ws://127.0.0.1:27060;
frame-src 'self' steam: https://store.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com;
$

Aug 19, 2018

Chaturbate

Chaturbate has a ridiculously long CSP policy, with AngularJS hosters in its whitelist (like cdnjs or ajax.googleapis.com), allowing trivial CSP bypasses, and of course 'unsafe-inline' 'unsafe-eval' in scrip-src.

$ curl -s -i https://chaturbate.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src 'self'; 
 script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.highwebmedia.com https://*.chaturbate.com https://chaturbate.com https://ssl.google-analytics.com https://ajax.googleapis.com https://cdn.exoticads.com https://js-agent.newrelic.com https://ssl.p.jwpcdn.com https://cdnjs.cloudflare.com www.google-analytics.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://bam.nr-data.net https://chaturbateapps.disqus.com https://*.disquscdn.com https://disqus.com ; 
 style-src 'self' 'unsafe-inline' https://*.highwebmedia.com https://cdnjs.cloudflare.com fonts.googleapis.com https://*.disquscdn.com ; 
 img-src 'self' data: https://*.highwebmedia.com https://*.chaturbate.com https://chaturbate.com https://ssl.google-analytics.com https://public.chaturbate.com https://cbpv.chaturbate.com https://cbphotovideo.s3.amazonaws.com https://cbphotovideo-eu.s3.amazonaws.com https://public.chaturbate.com.s3.amazonaws.com https://wowdvr.s3.amazonaws.com https://cbvideoupload.s3.amazonaws.com https://ssl.p.jwpcdn.com https://jwpltx.com https://cdnjs.cloudflare.com www.google-analytics.com https://www.gstatic.com https://bam.nr-data.net https://*.disquscdn.com https://links.services.disqus.com https://referrer.disqus.com  ; 
 font-src 'self' data: https://*.highwebmedia.com https://ssl.p.jwpcdn.com https://cdnjs.cloudflare.com fonts.gstatic.com ; 
 connect-src 'self' https://*.highwebmedia.com wss://*.highwebmedia.com https://bam.nr-data.net https://*.chaturbate.com https://chaturbate.com wss://recommend.chaturbate.com:8443 https://ssl.google-analytics.com www.google-analytics.com https://links.services.disqus.com https://sentry.io https://cbvideoupload.s3-accelerate.amazonaws.com ; 
 media-src 'self' https://*.highwebmedia.com https://*.chaturbate.com https://chaturbate.com mediasource: blob: data: https://public.chaturbate.com https://cbpv.chaturbate.com https://cbphotovideo.s3.amazonaws.com https://cbphotovideo-eu.s3.amazonaws.com https://public.chaturbate.com.s3.amazonaws.com https://wowdvr.s3.amazonaws.com https://cbvideoupload.s3.amazonaws.com; 
 object-src 'self' https://*.highwebmedia.com https://download.macromedia.com https://public.chaturbate.com https://cbpv.chaturbate.com https://cbphotovideo.s3.amazonaws.com https://cbphotovideo-eu.s3.amazonaws.com https://public.chaturbate.com.s3.amazonaws.com https://wowdvr.s3.amazonaws.com https://cbvideoupload.s3.amazonaws.com ; 
 frame-src 'self' https://*.chaturbate.com https://chaturbate.com https://*.highwebmedia.com  https://adserver.exoticads.com https://www.google.com/recaptcha/ https://disqus.com ; 
 worker-src 'self' blob: blob; 
 form-action 'self' https://*.chaturbate.com https://chaturbate.com https://*.stream.highwebmedia.com https://www.coinpayments.net https://wnu.com https://secure.camsterchat.com https://secure.zpaymentsystems.com ; 
 manifest-src 'self' https://*.highwebmedia.com ; 
 report-uri https://report-uri.highwebmedia.com/r/t/csp/enforce;
$

Aug 19, 2018

Ars Technica

Ars Technica allows pretty much everything. It seems that they're using CSP only to prevent http usage.

$ curl -s -i https://arstechnica.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'; 
child-src https: data: blob:; 
connect-src https: data: blob:; 
font-src https: data:; 
img-src https: data:; 
media-src blob: https:; 
object-src https:; 
script-src https: data: blob: 'unsafe-inline' 'unsafe-eval'; 
style-src https: 'unsafe-inline'; 
block-all-mixed-content; 
upgrade-insecure-requests
$

Aug 19, 2018

The New York times

The New York times allows pretty much everything. It seems that they're using CSP only to prevent http usage.

$ curl -s -i 'https://www.nytimes.com/' | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src data: 'unsafe-inline' 'unsafe-eval' https:; 
script-src data: 'unsafe-inline' 'unsafe-eval' https: blob:; 
style-src data: 'unsafe-inline' https:; 
img-src data: https: blob:; 
font-src data: https:; 
connect-src https: wss:; 
media-src https: blob:; 
object-src https:; 
child-src https: data: blob:; 
form-action https:; 
block-all-mixed-content;
$

Jul 18, 2018

Badoo

Badoo has script-src 'unsafe-inline' 'unsafe-eval.

$ curl -s -i 'https://badoo.com/' | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
Content-Security-Policy: default-src 'self' badoo.com eu1.badoo.com us1.badoo.com *.badoo.com *.eu1.badoo.com *.us1.badoo.com badoocdn.com *.badoocdn.com   *.api.here.com *.paypal.com pagead2.googlesyndication.com api.giphy.com *.agora.io:* wss://*.agora.io:* wss://badoocdn.com:* wss://*.badoocdn.com:*; 
script-src 'self' 'unsafe-inline' 'unsafe-eval' badoocdn.com *.badoocdn.com *.googleapis.com *.gstatic.com *.google.com vk.com *.vk.me cdn.syndication.twitter.com *.facebook.net *.facebook.com *.paypal.com www.paypalobjects.com *.youtube.com *.ytimg.com api.ok.ru *.google-analytics.com *.api.here.com *.instagram.com *.digicert.com pagead2.googlesyndication.com *.google.es; 
style-src 'self' 'unsafe-inline' badoocdn.com *.badoocdn.com vk.com *.vk.me *.googleapis.com; 
font-src 'self' data: badoocdn.com *.badoocdn.com fonts.googleapis.com fonts.gstatic.com; 
img-src * data: blob:; 
media-src * data: blob:; 
frame-src *; 
frame-ancestors 'self' apps.facebook.com; 
report-uri /jss/csp_report.phtml
$

Jul 18, 2018

Tinder

Tinder has script-src * 'unsafe-inline';.

$ curl -s -i 'https://tinder.com/' | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: script-src * 'unsafe-inline'; 
style-src * 'unsafe-inline' blob:; 
img-src * data: blob:
$

Jul 18, 2018

Blogger

Blogger has 'unsafe-inline' on script-src, along with a weird behaviour:

$ curl -s -i https://www.blogger.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: script-src   'self' *.google.com *.google-analytics.com 'unsafe-inline'   'unsafe-eval' *.gstatic.com *.googlesyndication.com *.blogger.com   *.googleapis.com uds.googleusercontent.com https://s.ytimg.com   https://i18n-cloud.appspot.com   www-onepick-opensocial.googleusercontent.com   www-bloggervideo-opensocial.googleusercontent.com   www-blogger-opensocial.googleusercontent.com https://www.blogblog.com; 
report-uri /cspreport
$ curl -s -i 'https://www.blogger.com/about/?r=1-null_user' | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src 'self' https://*.google-analytics.com https://*.googleusercontent.com https://*.gstatic.com; 
script-src 'self' 'unsafe-inline' https://*.google-analytics.com https://*.googleapis.com; 
style-src 'self' 'unsafe-inline' https://*.googleapis.com
$

Jul 17, 2018

Cloudflare

Cloudflare has script-src 'self' 'unsafe-inline' 'unsafe-eval' https://* data: blob:; on its login page.

$ curl -s -i https://dash.cloudflare.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src 'self' https://* blob:; 
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://* data: blob:; 
img-src 'self' https://* data: blob:; 
style-src 'self' 'unsafe-inline' https://*; 
font-src 'self' https://* data:; 
frame-src https://*; 
connect-src 'self' https://* wss://*.zopim.com data:;
$

edit: I was told that it was done to prevent loading third-party assets over http.

Jul 17, 2018

Hushmail

Hushmail has 'unsafe-inline' 'unsafe-eval' in script-src.

$ curl -s -i https://www.hushmail.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
Content-Security-Policy: default-src 'none'; 
media-src *; 
manifest-src 'none'; 
frame-src https://*.hushmail.com https://forms.hubspot.com https://*.hubspot.com https://*.google.com https://*.gstatic.com https://forms.hsforms.com https://*.google-analytics.com https://*.doubleclick.net https://hushforms.com https://www.hushmail.com 'self'; 
object-src 'self'; 
child-src 'self'; 
font-src https://*.hushmail.com 'self'; 
style-src https://*.hushmail.com https://hushforms.com 'self' 'unsafe-inline'; 
connect-src https://*.hushmail.com https://*.hubspot.com https://hushforms.com 'self'; 
img-src * data:; 
script-src https://*.hushmail.com https://js.hs-scripts.com https://js.hs-analytics.net https://js.hsleadflows.net https://js.hsforms.net https://js.usemessages.com https://forms.hubspot.com https://*.google.com https://*.gstatic.com https://*.googletagmanager.com https://*.googleadservices.com https://*.google-analytics.com https://*.doubleclick.net https://hushforms.com 'self' 'unsafe-inline' 'unsafe-eval'; 
frame-ancestors 'self' https://*.hushmail.com; 
report-uri /_ROOT_/cspreport/
$

Jul 17, 2018

Qwant

Qwant has script-src 'unsafe-inline' 'unsafe-eval' blob: data:.

$ curl -s -i https://www.qwant.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
Content-Security-Policy: default-src * data: blob:; 
script-src 'unsafe-inline' 'unsafe-eval' blob: data: *.qwant.com *.kamoov.com; 
style-src 'unsafe-inline' data: *.qwant.com;
$

Jul 17, 2018

Mozilla

Mozilla has script-src 'self' 'unsafe-inline' 'unsafe-eval'.

$ curl -s -i https://www.mozilla.org/en-US/ | grep -Ei '^Content-Security-Policy:' | sed "s/;/;\\n/g"
content-security-policy: script-src 'self' *.mozilla.net *.mozilla.org *.mozilla.com 'unsafe-inline' 'unsafe-eval' www.googletagmanager.com www.google-analytics.com tagmanager.google.com www.youtube.com s.ytimg.com;
img-src 'self' *.mozilla.net *.mozilla.org *.mozilla.com data: mozilla.org www.googletagmanager.com www.google-analytics.com creativecommons.org ad.doubleclick.net;
default-src 'self' *.mozilla.net *.mozilla.org *.mozilla.com;
frame-src www.googletagmanager.com www.google-analytics.com www.youtube-nocookie.com trackertest.org www.surveygizmo.com accounts.firefox.com accounts.firefox.com.cn www.youtube.com;
style-src 'self' *.mozilla.net *.mozilla.org *.mozilla.com 'unsafe-inline' fast.fonts.net;
connect-src 'self' *.mozilla.net *.mozilla.org *.mozilla.com www.googletagmanager.com www.google-analytics.com;
child-src www.googletagmanager.com www.google-analytics.com www.youtube-nocookie.com trackertest.org www.surveygizmo.com accounts.firefox.com accounts.firefox.com.cn www.youtube.com
$

Jul 17, 2018

NpmJS

NpmJS accepts 'unsafe-inline' for scrip-src.

$ curl -s -i https://www.npmjs.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/;/;\\n/g"  
content-security-policy: connect-src 'self' checkout.stripe.com sentry.io api.github.com www.npmjs.com http://gj.track.uc.cn/collect;
default-src 'none';
img-src * data:;
script-src 'self' 'unsafe-inline' https://checkout.stripe.com/checkout.js https://static.accountdock.com https://www.googletagmanager.com https://www.googletagmanager.com/gtm.js https://www.googleadservices.com https://googleads.g.doubleclick.net https://www.google-analytics.com https://www.google-analytics.com/analytics.js https://platform.twitter.com/widgets.js https://static.npmjs.com/;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://static.npmjs.com/;
frame-src checkout.stripe.com https://accountdock.com/app https://www.youtube.com/embed/mKMaG0cixXw https://static.accountdock.com/;
font-src https://fonts.gstatic.com https://static.npmjs.com/
$

Jul 17, 2018

SurveyMonkey

SurveyMonkey has default-src https: data: blob: 'unsafe-eval' 'unsafe-inline' 'self';

$ curl -s -i https://www.surveymonkey.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
Content-Security-Policy: default-src https: data: blob: 'unsafe-eval' 'unsafe-inline' 'self'; 
frame-ancestors 'self' https://*.zendesk.com https://*.myshopify.com https://teams.microsoft.com https://*.eloqua.com https://*.surveymonkey.com; 
report-uri https://csp.surveymonkey.com/report?e=true&c=prod&a=anonweb
$

Jul 16, 2018

Wired

Wired.com has script-src https: data: blob: 'unsafe-inline' 'unsafe-eval';, everything else seems to be there to prevent loading resources via http.

$ curl -s -i https://www.wired.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'; 
child-src https: data: blob:; 
connect-src https: data: blob:; 
font-src https: data:; 
img-src https: blob: data:; 
media-src blob: data: https:; 
object-src https:; 
script-src https: data: blob: 'unsafe-inline' 'unsafe-eval'; 
style-src https: 'unsafe-inline'; 
block-all-mixed-content; 
upgrade-insecure-requests; 
report-uri https://capture.condenastdigital.com/csp/wired
$

Jul 16, 2018

Medium

Medium has script-src 'unsafe-eval' 'unsafe-inline' about: https: 'self'

$ curl -s -i https://medium.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"    
content-security-policy: default-src 'self'; 
connect-src https://localhost https://*.instapaper.com https://*.stripe.com https://*.paypal.com https://getpocket.com https://medium.com:443 https://*.medium.com:443 https://*.medium.com https://medium.com https://*.medium.com https://*.algolia.net https://cdn-static-1.medium.com https://dnqgz544uhbo8.cloudfront.net https://cdn-videos-1.medium.com https://cdn-audio-1.medium.com https://*.lightstep.com https://app.zencoder.com 'self'; 
font-src data: https://*.amazonaws.com https://*.medium.com https://glyph.medium.com https://medium.com https://*.gstatic.com https://dnqgz544uhbo8.cloudfront.net https://use.typekit.net https://cdn-static-1.medium.com 'self'; 
frame-src chromenull: https: webviewprogressproxy: medium: 'self'; 
img-src blob: data: https: 'self'; 
media-src https://*.cdn.vine.co https://d1fcbxp97j4nb2.cloudfront.net https://d262ilb51hltx0.cloudfront.net https://*.medium.com https://gomiro.medium.com https://miro.medium.com https://pbs.twimg.com 'self' blob:; 
object-src 'self'; 
script-src 'unsafe-eval' 'unsafe-inline' about: https: 'self'; 
style-src 'unsafe-inline' data: https: 'self'; 
report-uri https://csp.medium.com
$

Jul 16, 2018

The guardian

theguardian.com has default-src https: 'unsafe-inline' 'unsafe-eval';.

$ curl -s -i https://www.theguardian.com/international | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src https:; 
script-src https: 'unsafe-inline' 'unsafe-eval'; 
style-src https: 'unsafe-inline'; 
img-src https: data: blob:; 
media-src https: data: blob:; 
font-src https: data:; 
connect-src https: wss:
$

Jul 16, 2018

CNN

cnn has script-src 'unsafe-eval' 'unsafe-inline' 'self' *;, and self plus wildcard for everything else.

$ curl -s -i https://edition.cnn.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src 'self' blob: https://*.cnn.com:* http://*.cnn.com:* *.cnn.io:* *.cnn.net:* *.turner.com:* *.turner.io:* *.ugdturner.com:* courageousstudio.com *.vgtf.net:*; 
script-src 'unsafe-eval' 'unsafe-inline' 'self' *; 
style-src 'unsafe-inline' 'self' blob: *; 
child-src 'self' blob: *; 
frame-src 'self' *; 
object-src 'self' *; 
img-src 'self' data: blob: *; 
media-src 'self' data: blob: *; 
font-src 'self' data: *; 
connect-src 'self' *; 
frame-ancestors 'self' https://*.cnn.com:* http://*.cnn.com https://*.cnn.io:* http://*.cnn.io:* *.turner.com:* courageousstudio.com;
$

Jul 16, 2018

Rue du commerce

rueducommerce.fr is a "big" French ecommerce website that doesn't like curl nor adblockers:

$ curl -i https://rueducommerce.fr
HTTP/1.1 403 Forbidden
Date: Mon, 16 Jul 2018 20:26:16 GMT
Server: DataDome
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 481
X-Varnish: 511952256
Age: 0
Via: 1.1 varnish (Varnish/5.0)
X-DataDome: protected
Content-Type: text/html;charset=utf-8
Charset: utf-8
Cache-Control: max-age=0, private, no-cache, no-store, must-revalidate
Pragma: no-cache
X-DataDome-CID: AHrlqAAAAAMA78zxfAiAWtgAWQIdWQ==
Set-Cookie: datadome=AHrlqAAAAAMA78zxfAiAWtgAWQIdWQ==;Path=/;Domain=rueducommerce.fr;Expires=Tue, 16-Jul-2019 20:26:16 GMT;Max-Age=31536000
Connection: keep-alive

<!--
Need permission to access data? Contact: DataAccess@datadome.co
-->
<html><head><title>You have been blocked</title><style>#cmsg{animation: A 1.5s;}@keyframes A{0%{opacity:0;}99%{opacity:0;}100%{opacity:1;}}</style></head><body style="margin:0"><p id="cmsg">Please enable JS and disable any ad blocker</p><script>var dd={'cid':'AHrlqAAAAAMA78zxfAiAWtgAWQIdWQ==','hsh':'4D096F16F58CAD48C209A56E8041CD'}</script><script src="https://ct.datadome.co/c.js"></script></body></html>

But they also have a useless CSP:

default-src https: 'unsafe-inline' 'unsafe-eval';
img-src https: data: about:;
connect-src https: wss:;
worker-src https: blob:;
report-uri /api/csp-report;

Jul 16, 2018

Whatsapp

whatsapp.com doesn't like curl's user agent and also has a impressively bad policy:

$ curl -A 'Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0' -s -i https://www.whatsapp.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/;/;\\n/g"
content-security-policy: default-src * data: blob:; 
script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' *.atlassolutions.com blob: data: 'self'; 
style-src data: blob: 'unsafe-inline' *; 
connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* *.atlassolutions.com attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self'; 
$

Jul 16, 2018

Linkedin

Linkedin has a nice collection of malpractices:

$ curl -s -i https://www.linkedin.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src *; 
connect-src 'self' static.licdn.com media.licdn.com static-exp1.licdn.com static-exp2.licdn.com media-exp1.licdn.com media-exp2.licdn.com https://media-src.linkedin.com/media/ www.linkedin.com s.c.lnkd.licdn.com m.c.lnkd.licdn.com s.c.exp1.licdn.com s.c.exp2.licdn.com m.c.exp1.licdn.com m.c.exp2.licdn.com wss://*.linkedin.com dms.licdn.com; 
img-src data: blob: *; 
font-src data: *; 
style-src 'unsafe-inline' 'self' static-src.linkedin.com *.licdn.com; 
script-src 'report-sample' 'unsafe-inline' 'unsafe-eval' 'self' platform.linkedin.com spdy.linkedin.com static-src.linkedin.com *.ads.linkedin.com *.licdn.com static.chartbeat.com www.google-analytics.com ssl.google-analytics.com bcvipva02.rightnowtech.com www.bizographics.com sjs.bizographics.com js.bizographics.com d.la4-c1-was.salesforceliveagent.com slideshare.www.linkedin.com; 
object-src 'none'; 
media-src blob: *; 
child-src blob: lnkd-communities: voyager: *; 
frame-ancestors 'self'; 
report-uri https://www.linkedin.com/lite/contentsecurity?f=l
$

Jul 16, 2018

Duckduckgo

duckduckgo.com has default-src https: blob: data: 'unsafe-inline' 'unsafe-eval';.

$ curl -s -I https://duckduckgo.com | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src https: blob: data: 'unsafe-inline' 'unsafe-eval'; 
frame-ancestors 'self'
$

Jul 16, 2018

Wire

app.wire.com has script-src 'self' 'unsafe-eval' 'unsafe-inline'

$ curl -s -I app.wire.com | grep -E '^Content-Security-Policy:' | sed "s/; /; \\n/g"
Content-Security-Policy: media-src 'self' blob: data: *; 
img-src 'self' blob: data: https://*.cloudfront.net https://*.giphy.com https://*.wire.com https://*.zinfra.io https://1-ps.googleusercontent.com https://api.mixpanel.com https://csi.gstatic.com; 
connect-src 'self' blob: data: https://*.giphy.com https://*.unsplash.com https://*.wire.com https://*.zinfra.io https://api.mixpanel.com https://api.raygun.io https://apis.google.com https://wire.com https://www.google.com wss://*.zinfra.io wss://prod-nginz-ssl.wire.com; 
object-src 'self' https://*.youtube-nocookie.com https://1-ps.googleusercontent.com; 
style-src 'self' 'unsafe-inline' https://*.googleusercontent.com https://*.wire.com; 
default-src 'self'; 
font-src 'self' data:; 
frame-src https://*.soundcloud.com https://*.spotify.com https://*.vimeo.com https://*.youtube-nocookie.com https://accounts.google.com; 
script-src 'self' 'unsafe-eval' 'unsafe-inline' https://*.wire.com https://*.zinfra.io https://api.mixpanel.com https://api.raygun.io https://apis.google.com

Jul 16, 2018

Ebay

Ebay has script-src 'self' 'unsafe-eval' 'unsafe-inline' blob: data: https:;.

$ curl -s -i https://www.ebay.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src 'self' blob: wss: data: https:; 
img-src 'self' data: https:; 
script-src 'self' 'unsafe-eval' 'unsafe-inline' blob: data: https:; 
style-src 'self' 'unsafe-inline' data: https:; 
$

Jul 16, 2018

yandex

yandex.ru has a very dense CSP policy, yet allowing 'self' 'unsafe-inline' 'unsafe-eval' blob: in script-src.

$ curl -s -I https://yandex.ru/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
Content-Security-Policy: connect-src 'self' wss://webasr.yandex.net https://mc.webvisor.com https://mc.webvisor.org wss://push.yandex.ru wss://portal-xiva.yandex.net https://yastatic.net https://home.yastatic.net https://yandex.ru https://*.yandex.ru static.yandex.sx brotli.yastatic.net et.yastatic.net *.serving-sys.com portal-xiva.yandex.net yastatic.net home.yastatic.net yandex.ru *.yandex.ru *.yandex.net yandex.st; 
default-src 'self' blob: wss://portal-xiva.yandex.net yastatic.net portal-xiva.yandex.net; 
font-src 'self' https://yastatic.net zen.yandex.ru static.yandex.sx brotli.yastatic.net et.yastatic.net yastatic.net; 
frame-src 'self' yabrowser: data: https://ok.ru https://frontend.vh.yandex.ru https://www.youtube.com https://player.video.yandex.net https://ya.ru https://yastatic.net https://yandex.ru https://*.yandex.ru wfarm.yandex.net secure-ds.serving-sys.com yandexadexchange.net *.yandexadexchange.net yastatic.net yandex.ru *.yandex.ru awaps.yandex.net *.cdn.yandex.net; 
img-src 'self' data: https://yastatic.net https://home.yastatic.net https://*.yandex.ru https://*.yandex.net https://*.tns-counter.ru awaps.yandex.net *.yastatic.net gdeua.hit.gemius.pl pa.tns-ua.com mc.yandex.com mc.webvisor.com mc.webvisor.org static.yandex.sx brotli.yastatic.net et.yastatic.net *.moatads.com yastatic.net home.yastatic.net yandex.ru *.yandex.ru *.yandex.net *.tns-counter.ru yandex.st; 
media-src 'self' blob: data: *.storage.yandex.net *.yandex.net yastatic.net kiks.yandex.ru strm.yandex.ru; 
object-src 'self' *.yandex.net music.yandex.ru strm.yandex.ru yastatic.net kiks.yandex.ru awaps.yandex.net storage.mds.yandex.net; 
report-uri https://csp.yandex.net/csp?from=big.ru&showid=1531770273.82458.22870.14430&h=f60&yandexuid=9272944951531770273; 
script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: https://suburban-widget.rasp.yandex.ru https://suburban-widget.rasp.yandex.net https://music.yandex.ru https://mc.yandex.fr https://mc.webvisor.com https://yandex.fr https://mc.webvisor.org https://yastatic.net https://home.yastatic.net https://mc.yandex.ru https://pass.yandex.ru zen.yandex.ru an.yandex.ru api-maps.yandex.ru static.yandex.sx webasr.yandex.net brotli.yastatic.net et.yastatic.net z.moatads.com bs.serving-sys.com secure-ds.serving-sys.com yastatic.net home.yastatic.net yandex.ru www.yandex.ru mc.yandex.ru suggest.yandex.ru clck.yandex.ru awaps.yandex.net; 
style-src 'self' 'unsafe-inline' https://yastatic.net https://home.yastatic.net zen.yandex.ru static.yandex.sx brotli.yastatic.net et.yastatic.net yastatic.net home.yastatic.net;
$

Jul 16, 2018

Msn

msn.com has 'self' data: 'unsafe-inline' 'unsafe-eval' https: blob: for everything by default, and doesn't override it much.

$ curl -s -I https://www.msn.com | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src 'self' data: 'unsafe-inline' 'unsafe-eval' https: blob:; 
media-src 'self' https: blob:; 
worker-src 'self' https: blob:; 
block-all-mixed-content; 
connect-src 'self' data: 'unsafe-inline' 'unsafe-eval' https: blob: https://*.trouter.io:443 https://*.trouter.skype.com:443 wss://*.trouter.io:443 wss://*.trouter.skype.com:443;
$

Jul 16, 2018

Ok.ru

Ok.ru has a complex policy for script-src featuring 'unsafe-inline 'unsafe-eval', and a wildcard for the others.

$ curl -s -i https://ok.ru/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src data: 'self' 'unsafe-inline' 'unsafe-eval' ok.ru *.ok.ru odnoklassniki.ru *.odnoklassniki.ru mycdn.me http://*.mycdn.me https://*.mycdn.me wss://ad.mail.ru *.mail.ru *.imgsmail.ru *.mradx.net *.serving-sys.com *.googleapis.com *.gstatic.com www.google.com https://api-maps.yandex.ru yastatic.net yandex.st *.doubleverify.com *.adsafeprotected.com; 
script-src 'unsafe-inline' 'unsafe-eval' *.mail.ru https://*.mail.ru *.imgsmail.ru *.mradx.net ok.ru *.ok.ru odnoklassniki.ru *.odnoklassniki.ru mycdn.me http://*.mycdn.me https://*.mycdn.me mc.yandex.ru an.yandex.ru yastatic.net yandex.st *.google-analytics.com api-maps.yandex.ru https://api-maps.yandex.ru https://clck.yandex.ru *.googleapis.com *.gstatic.com www.google.com www.youtube.com https://www.youtube.com *.ytimg.com https://*.ytimg.com *.doubleverify.com *.dvtps.com *.doubleclick.net *.googletagservices.com *.googlesyndication.com *.googleadservices.com *.goodgame.ru https://*.goodgame.ru https://*.moatads.com *.adlooxtracking.com *.adsafeprotected.com *.serving-sys.com https://enterprise.api-maps.yandex.ru https://suggest-maps.yandex.ru; 
worker-src blob: 'self'; 
connect-src * wss:; 
font-src * data: blob:; 
frame-src * blob: 'self'; 
img-src * data: blob: about:; 
media-src * data: blob:; 
object-src *; 
report-uri /csp/report;
$