Useless CSP

Jul 17, 2018

NpmJS

NpmJS accepts 'unsafe-inline' for scrip-src.

$ curl -s -i https://www.npmjs.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/;/;\\n/g"  
content-security-policy: connect-src 'self' checkout.stripe.com sentry.io api.github.com www.npmjs.com http://gj.track.uc.cn/collect;
default-src 'none';
img-src * data:;
script-src 'self' 'unsafe-inline' https://checkout.stripe.com/checkout.js https://static.accountdock.com https://www.googletagmanager.com https://www.googletagmanager.com/gtm.js https://www.googleadservices.com https://googleads.g.doubleclick.net https://www.google-analytics.com https://www.google-analytics.com/analytics.js https://platform.twitter.com/widgets.js https://static.npmjs.com/;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://static.npmjs.com/;
frame-src checkout.stripe.com https://accountdock.com/app https://www.youtube.com/embed/mKMaG0cixXw https://static.accountdock.com/;
font-src https://fonts.gstatic.com https://static.npmjs.com/
$