Useless CSP

Jul 17, 2018

Cloudflare

Cloudflare has script-src 'self' 'unsafe-inline' 'unsafe-eval' https://* data: blob:; on its login page.

$ curl -s -i https://dash.cloudflare.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src 'self' https://* blob:; 
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://* data: blob:; 
img-src 'self' https://* data: blob:; 
style-src 'self' 'unsafe-inline' https://*; 
font-src 'self' https://* data:; 
frame-src https://*; 
connect-src 'self' https://* wss://*.zopim.com data:;
$

edit: I was told that it was done to prevent loading third-party assets over http.