What is this site?
We thought about making a public list might make them care a bit more.
It might also cheer up adminsys that are struggling to deploy a strict policy on a complex website, to see that even some big players have botched CSP.
What is a CSP?
CSP stands for
Content Security Policy. It allows to declare to the browser
which dynamic resources are allowed to load, for example "Dear browser,
please only load scripts from my site and my CDN" to prevent malicious script
Yeah but maybe those sites are testing their policy
The correct™ way to do an incremental policy deployment is to
Content-Security-Policy-Report-Only header for tests,
Content-Security-Policy to prevent regressions.
Why are those policies bad?
Most of them are listed on this website because of their usage of
'unsafe-eval' in the
script-src part, respectively:
- allowing inline scripts like
< img src=x onerror="alert(1)">
- allowing the usage of the infamous
Can you help me to deploy my CSP?
You're amongst the most popular websites on the web, I'm quite sure you've got some skilled engineers that are more than able to fix your policy.
Who's the idiot behind this?
A bunch of idiots, mostly from #websec.
I want to add a new website!
Email it to