Useless CSP

Aug 19, 2018

Ars Technica

Ars Technica allows pretty much everything. It seems that they're using CSP only to prevent http usage.

$ curl -s -i https://arstechnica.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'; 
child-src https: data: blob:; 
connect-src https: data: blob:; 
font-src https: data:; 
img-src https: data:; 
media-src blob: https:; 
object-src https:; 
script-src https: data: blob: 'unsafe-inline' 'unsafe-eval'; 
style-src https: 'unsafe-inline'; 
block-all-mixed-content; 
upgrade-insecure-requests
$