Useless CSP

Aug 26, 2018

Scott Helme

Scott Helme allows cdnjs.cloudflare.com (which hosts AngularJS scripts, allowing comprehensive CSP bypasses), but it's still better than the majority of the websites listed on this website.

$ curl -s -i https://scotthelme.co.uk/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src 'self'; 
script-src 'self' disqus.com c.disquscdn.com platform.instagram.com cdnjs.cloudflare.com scotthelme.disqus.com a.disquscdn.com go.disqus.com platform.twitter.com cdn.syndication.twimg.com syndication.twitter.com; 
style-src 'self' c.disquscdn.com a.disquscdn.com fonts.googleapis.com cdnjs.cloudflare.com platform.twitter.com; 
img-src 'self' data: www.gravatar.com links.services.disqus.com referrer.disqus.com a.disquscdn.com cdn.syndication.twimg.com syndication.twitter.com pbs.twimg.com platform.twitter.com abs.twimg.com; 
child-src www.instagram.com twitter.com fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com www.youtube-nocookie.com; 
connect-src 'self' syndication.twitter.com links.services.disqus.com; 
font-src 'self' cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; 
form-action 'self' syndication.twitter.com; 
upgrade-insecure-requests; 
report-uri https://scotthelme.report-uri.com/r/d/csp/enforce
$