Useless CSP

Jun 08, 2019

Parcoursup

Parcoursup is the mandatory website to use for French student to select schools. Its CSP policy is not not useless, but also questionable for a governemental website.

$ curl -s -i 'parcoursup.fr' | grep -Ei '^Content-Security-Policy:' | sed "s/;/;\\n/g"
Content-Security-Policy: default-src 'self' *.parcoursup.fr *.parcoursup-nouvelle-caledonie.fr *.twitter.com *.dailymotion.com *.paybox.com https: 'unsafe-inline';
 img-src 'self' *.parcoursup.fr *.parcoursup-nouvelle-caledonie.fr *.twitter.com *.dailymotion.com *.paybox.com https: 'unsafe-inline';
 media-src 'self' *.parcoursup.fr *.parcoursup-nouvelle-caledonie.fr *.twitter.com *.dailymotion.com *.paybox.com https: 'unsafe-inline';
 script-src 'self' *.parcoursup.fr *.parcoursup-nouvelle-caledonie.fr *.twitter.com *.dailymotion.com *.paybox.com https: 'unsafe-inline';
 font-src 'self' *.parcoursup.fr *.parcoursup-nouvelle-caledonie.fr *.twitter.com *.dailymotion.com *.paybox.com https: 'unsafe-inline';
$

Thanks to droper for the hint.