Useless CSP

Jul 16, 2018

Whatsapp

whatsapp.com doesn't like curl's user agent and also has a impressively bad policy:

$ curl -A 'Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0' -s -i https://www.whatsapp.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/;/;\\n/g"
content-security-policy: default-src * data: blob:; 
script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' *.atlassolutions.com blob: data: 'self'; 
style-src data: blob: 'unsafe-inline' *; 
connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* *.atlassolutions.com attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self'; 
$