Useless CSP

Oct 27, 2019

SNCF's WiFi

The SNCF's WiFi captive portal allows pretty much everything javascript-side:

$ curl -s -i 'https://wifi.sncf' | grep -Ei '^Content-Security-Policy:' | sed "s/;/;\\n/g"
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' wifi.sncf www.wifi.sncf tgvconnect.com www.tgvconnect.com *.pepita.vsct.fr tgvconnect-embed.braineet.com *.twimg.com *.twitter.com http://*.openstreetmap.org https://*.easybroadcast.fr data: blob: ws: wss:;
 report-uri https://pepita.vsct.fr/__vsctcspreport__
$