Useless CSP

Aug 19, 2018

The New York times

The New York times allows pretty much everything. It seems that they're using CSP only to prevent http usage.

$ curl -s -i '' | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src data: 'unsafe-inline' 'unsafe-eval' https:; 
script-src data: 'unsafe-inline' 'unsafe-eval' https: blob:; 
style-src data: 'unsafe-inline' https:; 
img-src data: https: blob:; 
font-src data: https:; 
connect-src https: wss:; 
media-src https: blob:; 
object-src https:; 
child-src https: data: blob:; 
form-action https:;