Useless CSP

Jul 16, 2018

Wired has script-src https: data: blob: 'unsafe-inline' 'unsafe-eval';, everything else seems to be there to prevent loading resources via http.

$ curl -s -i | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'; 
child-src https: data: blob:; 
connect-src https: data: blob:; 
font-src https: data:; 
img-src https: blob: data:; 
media-src blob: data: https:; 
object-src https:; 
script-src https: data: blob: 'unsafe-inline' 'unsafe-eval'; 
style-src https: 'unsafe-inline';