Useless CSP

Jul 18, 2018

Tinder

Tinder has script-src * 'unsafe-inline';.

$ curl -s -i 'https://tinder.com/' | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: script-src * 'unsafe-inline'; 
style-src * 'unsafe-inline' blob:; 
img-src * data: blob:
$