Useless CSP

Jul 16, 2018

Duckduckgo

duckduckgo.com has default-src https: blob: data: 'unsafe-inline' 'unsafe-eval';.

$ curl -s -I https://duckduckgo.com | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src https: blob: data: 'unsafe-inline' 'unsafe-eval'; 
frame-ancestors 'self'
$