Useless CSP

Jul 17, 2018

SurveyMonkey

SurveyMonkey has default-src https: data: blob: 'unsafe-eval' 'unsafe-inline' 'self';

$ curl -s -i https://www.surveymonkey.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
Content-Security-Policy: default-src https: data: blob: 'unsafe-eval' 'unsafe-inline' 'self'; 
frame-ancestors 'self' https://*.zendesk.com https://*.myshopify.com https://teams.microsoft.com https://*.eloqua.com https://*.surveymonkey.com; 
report-uri https://csp.surveymonkey.com/report?e=true&c=prod&a=anonweb
$