Useless CSP

Jul 16, 2018

Msn

msn.com has 'self' data: 'unsafe-inline' 'unsafe-eval' https: blob: for everything by default, and doesn't override it much.

$ curl -s -I https://www.msn.com | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src 'self' data: 'unsafe-inline' 'unsafe-eval' https: blob:; 
media-src 'self' https: blob:; 
worker-src 'self' https: blob:; 
block-all-mixed-content; 
connect-src 'self' data: 'unsafe-inline' 'unsafe-eval' https: blob: https://*.trouter.io:443 https://*.trouter.skype.com:443 wss://*.trouter.io:443 wss://*.trouter.skype.com:443;
$