Useless CSP

Jul 16, 2018

Wired

Wired.com has script-src https: data: blob: 'unsafe-inline' 'unsafe-eval';, everything else seems to be there to prevent loading resources via http.

$ curl -s -i https://www.wired.com/ | grep -Ei '^Content-Security-Policy:' | sed "s/; /; \\n/g"
content-security-policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'; 
child-src https: data: blob:; 
connect-src https: data: blob:; 
font-src https: data:; 
img-src https: blob: data:; 
media-src blob: data: https:; 
object-src https:; 
script-src https: data: blob: 'unsafe-inline' 'unsafe-eval'; 
style-src https: 'unsafe-inline'; 
block-all-mixed-content; 
upgrade-insecure-requests; 
report-uri https://capture.condenastdigital.com/csp/wired
$