Useless CSP

Jul 17, 2018

Mozilla

Mozilla has script-src 'self' 'unsafe-inline' 'unsafe-eval'.

$ curl -s -i https://www.mozilla.org/en-US/ | grep -Ei '^Content-Security-Policy:' | sed "s/;/;\\n/g"
content-security-policy: script-src 'self' *.mozilla.net *.mozilla.org *.mozilla.com 'unsafe-inline' 'unsafe-eval' www.googletagmanager.com www.google-analytics.com tagmanager.google.com www.youtube.com s.ytimg.com;
img-src 'self' *.mozilla.net *.mozilla.org *.mozilla.com data: mozilla.org www.googletagmanager.com www.google-analytics.com creativecommons.org ad.doubleclick.net;
default-src 'self' *.mozilla.net *.mozilla.org *.mozilla.com;
frame-src www.googletagmanager.com www.google-analytics.com www.youtube-nocookie.com trackertest.org www.surveygizmo.com accounts.firefox.com accounts.firefox.com.cn www.youtube.com;
style-src 'self' *.mozilla.net *.mozilla.org *.mozilla.com 'unsafe-inline' fast.fonts.net;
connect-src 'self' *.mozilla.net *.mozilla.org *.mozilla.com www.googletagmanager.com www.google-analytics.com;
child-src www.googletagmanager.com www.google-analytics.com www.youtube-nocookie.com trackertest.org www.surveygizmo.com accounts.firefox.com accounts.firefox.com.cn www.youtube.com
$