Useless CSP

Aug 31, 2018

The New Yorker

The New Yorker allows 'unsafe-inline' 'unsafe-eval' https: in script-src; it seems that they're only using CSP to transition to https.

$ curl -s -i '' | grep -Ei '^Content-Security-Policy:' | sed "s/;/;\\n/g"
Content-Security-Policy: default-src https: data: 'unsafe-inline' 'unsafe-eval';
 child-src https: data: blob:;
 connect-src https: data: blob:;
 font-src https: data:;
 img-src https: blob: data:;
 media-src blob: data: https:;
 object-src https:;
 script-src https: data: blob: 'unsafe-inline' 'unsafe-eval';
 style-src https: 'unsafe-inline';