Useless CSP

Aug 06, 2019

GMail

GMail has a CSP, but with unsafe-eval, because why not:

$ curl -s -i 'https://mail.google.com/mail' -b '…' | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
Content-Security-Policy: script-src 'report-sample' 'nonce-XXXXXXXXXXXXXXXXXXX' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';
object-src 'none';
base-uri 'self';
report-uri https://mail.google.com/mail/cspreport;
$