Useless CSP

Jul 16, 2018

Linkedin

Linkedin has a nice collection of malpractices:

$ curl -s -i https://www.linkedin.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src *; 
connect-src 'self' static.licdn.com media.licdn.com static-exp1.licdn.com static-exp2.licdn.com media-exp1.licdn.com media-exp2.licdn.com https://media-src.linkedin.com/media/ www.linkedin.com s.c.lnkd.licdn.com m.c.lnkd.licdn.com s.c.exp1.licdn.com s.c.exp2.licdn.com m.c.exp1.licdn.com m.c.exp2.licdn.com wss://*.linkedin.com dms.licdn.com; 
img-src data: blob: *; 
font-src data: *; 
style-src 'unsafe-inline' 'self' static-src.linkedin.com *.licdn.com; 
script-src 'report-sample' 'unsafe-inline' 'unsafe-eval' 'self' platform.linkedin.com spdy.linkedin.com static-src.linkedin.com *.ads.linkedin.com *.licdn.com static.chartbeat.com www.google-analytics.com ssl.google-analytics.com bcvipva02.rightnowtech.com www.bizographics.com sjs.bizographics.com js.bizographics.com d.la4-c1-was.salesforceliveagent.com slideshare.www.linkedin.com; 
object-src 'none'; 
media-src blob: *; 
child-src blob: lnkd-communities: voyager: *; 
frame-ancestors 'self'; 
report-uri https://www.linkedin.com/lite/contentsecurity?f=l
$