Useless CSP

Jul 16, 2018

Wire

app.wire.com has script-src 'self' 'unsafe-eval' 'unsafe-inline'

$ curl -s -I app.wire.com | grep -E '^Content-Security-Policy:' | sed "s/; /; \\n/g"
Content-Security-Policy: media-src 'self' blob: data: *; 
img-src 'self' blob: data: https://*.cloudfront.net https://*.giphy.com https://*.wire.com https://*.zinfra.io https://1-ps.googleusercontent.com https://api.mixpanel.com https://csi.gstatic.com; 
connect-src 'self' blob: data: https://*.giphy.com https://*.unsplash.com https://*.wire.com https://*.zinfra.io https://api.mixpanel.com https://api.raygun.io https://apis.google.com https://wire.com https://www.google.com wss://*.zinfra.io wss://prod-nginz-ssl.wire.com; 
object-src 'self' https://*.youtube-nocookie.com https://1-ps.googleusercontent.com; 
style-src 'self' 'unsafe-inline' https://*.googleusercontent.com https://*.wire.com; 
default-src 'self'; 
font-src 'self' data:; 
frame-src https://*.soundcloud.com https://*.spotify.com https://*.vimeo.com https://*.youtube-nocookie.com https://accounts.google.com; 
script-src 'self' 'unsafe-eval' 'unsafe-inline' https://*.wire.com https://*.zinfra.io https://api.mixpanel.com https://api.raygun.io https://apis.google.com