Useless CSP

Jul 16, 2018

Rue du commerce

rueducommerce.fr is a "big" French ecommerce website that doesn't like curl nor adblockers:

$ curl -i https://rueducommerce.fr
HTTP/1.1 403 Forbidden
Date: Mon, 16 Jul 2018 20:26:16 GMT
Server: DataDome
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 481
X-Varnish: 511952256
Age: 0
Via: 1.1 varnish (Varnish/5.0)
X-DataDome: protected
Content-Type: text/html;charset=utf-8
Charset: utf-8
Cache-Control: max-age=0, private, no-cache, no-store, must-revalidate
Pragma: no-cache
X-DataDome-CID: AHrlqAAAAAMA78zxfAiAWtgAWQIdWQ==
Set-Cookie: datadome=AHrlqAAAAAMA78zxfAiAWtgAWQIdWQ==;Path=/;Domain=rueducommerce.fr;Expires=Tue, 16-Jul-2019 20:26:16 GMT;Max-Age=31536000
Connection: keep-alive

<!--
Need permission to access data? Contact: DataAccess@datadome.co
-->
<html><head><title>You have been blocked</title><style>#cmsg{animation: A 1.5s;}@keyframes A{0%{opacity:0;}99%{opacity:0;}100%{opacity:1;}}</style></head><body style="margin:0"><p id="cmsg">Please enable JS and disable any ad blocker</p><script>var dd={'cid':'AHrlqAAAAAMA78zxfAiAWtgAWQIdWQ==','hsh':'4D096F16F58CAD48C209A56E8041CD'}</script><script src="https://ct.datadome.co/c.js"></script></body></html>

But they also have a useless CSP:

default-src https: 'unsafe-inline' 'unsafe-eval';
img-src https: data: about:;
connect-src https: wss:;
worker-src https: blob:;
report-uri /api/csp-report;