Useless CSP

Jul 16, 2018

Medium

Medium has script-src 'unsafe-eval' 'unsafe-inline' about: https: 'self'

$ curl -s -i https://medium.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"    
content-security-policy: default-src 'self'; 
connect-src https://localhost https://*.instapaper.com https://*.stripe.com https://*.paypal.com https://getpocket.com https://medium.com:443 https://*.medium.com:443 https://*.medium.com https://medium.com https://*.medium.com https://*.algolia.net https://cdn-static-1.medium.com https://dnqgz544uhbo8.cloudfront.net https://cdn-videos-1.medium.com https://cdn-audio-1.medium.com https://*.lightstep.com https://app.zencoder.com 'self'; 
font-src data: https://*.amazonaws.com https://*.medium.com https://glyph.medium.com https://medium.com https://*.gstatic.com https://dnqgz544uhbo8.cloudfront.net https://use.typekit.net https://cdn-static-1.medium.com 'self'; 
frame-src chromenull: https: webviewprogressproxy: medium: 'self'; 
img-src blob: data: https: 'self'; 
media-src https://*.cdn.vine.co https://d1fcbxp97j4nb2.cloudfront.net https://d262ilb51hltx0.cloudfront.net https://*.medium.com https://gomiro.medium.com https://miro.medium.com https://pbs.twimg.com 'self' blob:; 
object-src 'self'; 
script-src 'unsafe-eval' 'unsafe-inline' about: https: 'self'; 
style-src 'unsafe-inline' data: https: 'self'; 
report-uri https://csp.medium.com
$