Brenton Cleeland

Content-Security-Policy Survey (March 2022)

A quick analisys of the Content-Security-Policy for the 197 domains that have made it to HN500 more than three times since January 1st, 2017. Based on the response given when using thttp with the Firefox 98.0 User-Agent.

  • 60/197 domains have a Content-Security-Policy in the response headers

Of those:

  • 9/60 have default-src: none set
  • 3/60 have default-src: self set (and only self)
  • 10/60 have unsafe-inline in the policy
  • 8/60 have unsafe-eval in the policy
  • addons.mozilla.org is the only domain that has default-src set to none or self, and doesn't include unsafe-eval or unsafe-inline

Feel free to download the list of domains for your own analysis.