Useless CSP

Aug 22, 2018

Steam community

Steam community has 'unsafe-inline' 'unsafe-eval' in script-src, along with https://www.gstatic.com that hosts AngularJS scripts, allowing to bypass script-src anyway.

The same goes for the steam store.

$ curl -s -i https://steamcommunity.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/;/;\\n/g"
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval';
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://steamcommunity-a.akamaihd.net/ https://api.steampowered.com/ https://steamcdn-a.akamaihd.net/steamcommunity/public/assets/ *.google-analytics.com https://www.google.com https://www.gstatic.com https://apis.google.com;
object-src 'none';
connect-src 'self' https://api.steampowered.com/ https://store.steampowered.com/ wss://community.steam-api.com/websocket/ *.google-analytics.com http://127.0.0.1:27060 ws://127.0.0.1:27060;
frame-src 'self' steam: https://store.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com;
$