Useless CSP

Nov 30, 2018

Facebook

Facebook has * as a default-src, 127.0.0.1:* along with unsafe-inline and unsafe-eval in script-src, unsafe-inline in style-src, and finally spotilocal.com (resolving to 127.0.0.1 and belonging to spotify) in connect-src.

$ curl -Is https://www.facebook.com/ --user-agent 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36' | grep -Ei '^Content-Security-Policy:' | sed "s/;/; \\n/g"
content-security-policy: default-src * data: blob:; 
script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' *.atlassolutions.com blob: data: 'self'; 
style-src data: blob: 'unsafe-inline' *; 
connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* *.atlassolutions.com attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self' chrome-extension://boadgeojelhgndaghljhdicfkmllpafd chrome-extension://dliochdbjfkdbacpmhlcpmleaejidimm;
$