Useless CSP

Jul 16, 2018

Ebay

Ebay has script-src 'self' 'unsafe-eval' 'unsafe-inline' blob: data: https:;.

$ curl -s -i https://www.ebay.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src 'self' blob: wss: data: https:; 
img-src 'self' data: https:; 
script-src 'self' 'unsafe-eval' 'unsafe-inline' blob: data: https:; 
style-src 'self' 'unsafe-inline' data: https:; 
$