Useless CSP

Aug 19, 2018

Chaturbate

Chaturbate has a ridiculously long CSP policy, with AngularJS hosters in its whitelist (like cdnjs or ajax.googleapis.com), allowing trivial CSP bypasses, and of course 'unsafe-inline' 'unsafe-eval' in scrip-src.

$ curl -s -i https://chaturbate.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src 'self'; 
 script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.highwebmedia.com https://*.chaturbate.com https://chaturbate.com https://ssl.google-analytics.com https://ajax.googleapis.com https://cdn.exoticads.com https://js-agent.newrelic.com https://ssl.p.jwpcdn.com https://cdnjs.cloudflare.com www.google-analytics.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://bam.nr-data.net https://chaturbateapps.disqus.com https://*.disquscdn.com https://disqus.com ; 
 style-src 'self' 'unsafe-inline' https://*.highwebmedia.com https://cdnjs.cloudflare.com fonts.googleapis.com https://*.disquscdn.com ; 
 img-src 'self' data: https://*.highwebmedia.com https://*.chaturbate.com https://chaturbate.com https://ssl.google-analytics.com https://public.chaturbate.com https://cbpv.chaturbate.com https://cbphotovideo.s3.amazonaws.com https://cbphotovideo-eu.s3.amazonaws.com https://public.chaturbate.com.s3.amazonaws.com https://wowdvr.s3.amazonaws.com https://cbvideoupload.s3.amazonaws.com https://ssl.p.jwpcdn.com https://jwpltx.com https://cdnjs.cloudflare.com www.google-analytics.com https://www.gstatic.com https://bam.nr-data.net https://*.disquscdn.com https://links.services.disqus.com https://referrer.disqus.com  ; 
 font-src 'self' data: https://*.highwebmedia.com https://ssl.p.jwpcdn.com https://cdnjs.cloudflare.com fonts.gstatic.com ; 
 connect-src 'self' https://*.highwebmedia.com wss://*.highwebmedia.com https://bam.nr-data.net https://*.chaturbate.com https://chaturbate.com wss://recommend.chaturbate.com:8443 https://ssl.google-analytics.com www.google-analytics.com https://links.services.disqus.com https://sentry.io https://cbvideoupload.s3-accelerate.amazonaws.com ; 
 media-src 'self' https://*.highwebmedia.com https://*.chaturbate.com https://chaturbate.com mediasource: blob: data: https://public.chaturbate.com https://cbpv.chaturbate.com https://cbphotovideo.s3.amazonaws.com https://cbphotovideo-eu.s3.amazonaws.com https://public.chaturbate.com.s3.amazonaws.com https://wowdvr.s3.amazonaws.com https://cbvideoupload.s3.amazonaws.com; 
 object-src 'self' https://*.highwebmedia.com https://download.macromedia.com https://public.chaturbate.com https://cbpv.chaturbate.com https://cbphotovideo.s3.amazonaws.com https://cbphotovideo-eu.s3.amazonaws.com https://public.chaturbate.com.s3.amazonaws.com https://wowdvr.s3.amazonaws.com https://cbvideoupload.s3.amazonaws.com ; 
 frame-src 'self' https://*.chaturbate.com https://chaturbate.com https://*.highwebmedia.com  https://adserver.exoticads.com https://www.google.com/recaptcha/ https://disqus.com ; 
 worker-src 'self' blob: blob; 
 form-action 'self' https://*.chaturbate.com https://chaturbate.com https://*.stream.highwebmedia.com https://www.coinpayments.net https://wnu.com https://secure.camsterchat.com https://secure.zpaymentsystems.com ; 
 manifest-src 'self' https://*.highwebmedia.com ; 
 report-uri https://report-uri.highwebmedia.com/r/t/csp/enforce;
$