Useless CSP

Jul 17, 2018

Qwant

Qwant has script-src 'unsafe-inline' 'unsafe-eval' blob: data:.

$ curl -s -i https://www.qwant.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
Content-Security-Policy: default-src * data: blob:; 
script-src 'unsafe-inline' 'unsafe-eval' blob: data: *.qwant.com *.kamoov.com; 
style-src 'unsafe-inline' data: *.qwant.com;
$