Useless CSP

Jul 18, 2018

Blogger

Blogger has 'unsafe-inline' on script-src, along with a weird behaviour:

$ curl -s -i https://www.blogger.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: script-src   'self' *.google.com *.google-analytics.com 'unsafe-inline'   'unsafe-eval' *.gstatic.com *.googlesyndication.com *.blogger.com   *.googleapis.com uds.googleusercontent.com https://s.ytimg.com   https://i18n-cloud.appspot.com   www-onepick-opensocial.googleusercontent.com   www-bloggervideo-opensocial.googleusercontent.com   www-blogger-opensocial.googleusercontent.com https://www.blogblog.com; 
report-uri /cspreport
$ curl -s -i 'https://www.blogger.com/about/?r=1-null_user' | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src 'self' https://*.google-analytics.com https://*.googleusercontent.com https://*.gstatic.com; 
script-src 'self' 'unsafe-inline' https://*.google-analytics.com https://*.googleapis.com; 
style-src 'self' 'unsafe-inline' https://*.googleapis.com
$