Content-Security-Policy Survey (March 2022)
A quick analisys of the Content-Security-Policy for the 197 domains that have made it to HN500 more than three times since January 1st, 2017. Based on the response given when using thttp with the Firefox 98.0 User-Agent.
- 60/197 domains have a Content-Security-Policy in the response headers
Of those:
- 9/60 have
default-src: none
set - 3/60 have
default-src: self
set (and onlyself
) - 10/60 have
unsafe-inline
in the policy - 8/60 have
unsafe-eval
in the policy - addons.mozilla.org is the only domain that has default-src set to none or self, and doesn't include unsafe-eval or unsafe-inline
Feel free to download the list of domains for your own analysis.