Useless CSP

Jul 17, 2018

Hushmail

Hushmail has 'unsafe-inline' 'unsafe-eval' in script-src.

$ curl -s -i https://www.hushmail.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
Content-Security-Policy: default-src 'none'; 
media-src *; 
manifest-src 'none'; 
frame-src https://*.hushmail.com https://forms.hubspot.com https://*.hubspot.com https://*.google.com https://*.gstatic.com https://forms.hsforms.com https://*.google-analytics.com https://*.doubleclick.net https://hushforms.com https://www.hushmail.com 'self'; 
object-src 'self'; 
child-src 'self'; 
font-src https://*.hushmail.com 'self'; 
style-src https://*.hushmail.com https://hushforms.com 'self' 'unsafe-inline'; 
connect-src https://*.hushmail.com https://*.hubspot.com https://hushforms.com 'self'; 
img-src * data:; 
script-src https://*.hushmail.com https://js.hs-scripts.com https://js.hs-analytics.net https://js.hsleadflows.net https://js.hsforms.net https://js.usemessages.com https://forms.hubspot.com https://*.google.com https://*.gstatic.com https://*.googletagmanager.com https://*.googleadservices.com https://*.google-analytics.com https://*.doubleclick.net https://hushforms.com 'self' 'unsafe-inline' 'unsafe-eval'; 
frame-ancestors 'self' https://*.hushmail.com; 
report-uri /_ROOT_/cspreport/
$