Useless CSP


What is this site?

CSP is notoriously tricky to get right, but some people aren't even trying and are likely adding headers to tick a box on their assessment report.

We thought about making a public list might make them care a bit more.

It might also cheer up adminsys that are struggling to deploy a strict policy on a complex website, to see that even some big players have botched CSP.

What is a CSP?

CSP stands for Content Security Policy. It allows to declare to the browser which dynamic resources are allowed to load, for example "Dear browser, please only load scripts from my site and my CDN" to prevent malicious script injection.

Mozilla has some nice documentation about it that goes into great details, and this website provides a lot of examples.

Yeah but maybe those sites are testing their policy

The correctâ„¢ way to do an incremental policy deployment is to use the Content-Security-Policy-Report-Only header for tests, and Content-Security-Policy to prevent regressions.

Why are those policies bad?

Most of them are listed on this website because of their usage of 'unsafe-inline' and 'unsafe-eval' in the script-src part, respectively:

  1. allowing inline scripts like <script>alert(1)</script> or < img src=x onerror="alert(1)">
  2. allowing the usage of the infamous eval function.

Can you help me to deploy my CSP?

You're amongst the most popular websites on the web, I'm quite sure you've got some skilled engineers that are more than able to fix your policy.

Just in case, you might want to read Mozilla's documentation, GitHub's post-CSP journey, and check your policy on some fancy online validators to make sure that everything is fine.

Who's the idiot behind this?

A bunch of idiots, mostly from #websec.

I want to add a new website!

Email it to