Useless CSP

Jul 18, 2018

Badoo

Badoo has script-src 'unsafe-inline' 'unsafe-eval.

$ curl -s -i 'https://badoo.com/' | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
Content-Security-Policy: default-src 'self' badoo.com eu1.badoo.com us1.badoo.com *.badoo.com *.eu1.badoo.com *.us1.badoo.com badoocdn.com *.badoocdn.com   *.api.here.com *.paypal.com pagead2.googlesyndication.com api.giphy.com *.agora.io:* wss://*.agora.io:* wss://badoocdn.com:* wss://*.badoocdn.com:*; 
script-src 'self' 'unsafe-inline' 'unsafe-eval' badoocdn.com *.badoocdn.com *.googleapis.com *.gstatic.com *.google.com vk.com *.vk.me cdn.syndication.twitter.com *.facebook.net *.facebook.com *.paypal.com www.paypalobjects.com *.youtube.com *.ytimg.com api.ok.ru *.google-analytics.com *.api.here.com *.instagram.com *.digicert.com pagead2.googlesyndication.com *.google.es; 
style-src 'self' 'unsafe-inline' badoocdn.com *.badoocdn.com vk.com *.vk.me *.googleapis.com; 
font-src 'self' data: badoocdn.com *.badoocdn.com fonts.googleapis.com fonts.gstatic.com; 
img-src * data: blob:; 
media-src * data: blob:; 
frame-src *; 
frame-ancestors 'self' apps.facebook.com; 
report-uri /jss/csp_report.phtml
$