Useless CSP

Jul 16, 2018

The guardian

theguardian.com has default-src https: 'unsafe-inline' 'unsafe-eval';.

$ curl -s -i https://www.theguardian.com/international | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src https:; 
script-src https: 'unsafe-inline' 'unsafe-eval'; 
style-src https: 'unsafe-inline'; 
img-src https: data: blob:; 
media-src https: data: blob:; 
font-src https: data:; 
connect-src https: wss:
$