Useless CSP

Aug 31, 2018

The New Yorker

The New Yorker allows 'unsafe-inline' 'unsafe-eval' https: in script-src; it seems that they're only using CSP to transition to https.

$ curl -s -i 'https://www.newyorker.com/' | grep -Ei '^Content-Security-Policy:' | sed "s/;/;\\n/g"
Content-Security-Policy: default-src https: data: 'unsafe-inline' 'unsafe-eval';
 child-src https: data: blob:;
 connect-src https: data: blob:;
 font-src https: data:;
 img-src https: blob: data:;
 media-src blob: data: https:;
 object-src https:;
 script-src https: data: blob: 'unsafe-inline' 'unsafe-eval';
 style-src https: 'unsafe-inline';
 block-all-mixed-content;
 upgrade-insecure-requests;
 report-uri https://capture.condenastdigital.com/csp/the-new-yorker
$