Useless CSP

Jul 16, 2018

CNN

cnn has script-src 'unsafe-eval' 'unsafe-inline' 'self' *;, and self plus wildcard for everything else.

$ curl -s -i https://edition.cnn.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src 'self' blob: https://*.cnn.com:* http://*.cnn.com:* *.cnn.io:* *.cnn.net:* *.turner.com:* *.turner.io:* *.ugdturner.com:* courageousstudio.com *.vgtf.net:*; 
script-src 'unsafe-eval' 'unsafe-inline' 'self' *; 
style-src 'unsafe-inline' 'self' blob: *; 
child-src 'self' blob: *; 
frame-src 'self' *; 
object-src 'self' *; 
img-src 'self' data: blob: *; 
media-src 'self' data: blob: *; 
font-src 'self' data: *; 
connect-src 'self' *; 
frame-ancestors 'self' https://*.cnn.com:* http://*.cnn.com https://*.cnn.io:* http://*.cnn.io:* *.turner.com:* courageousstudio.com;
$