Content-Security-Policy Survey (March 2022)
A quick analisys of the Content-Security-Policy for the 197 domains that have made it to HN500 more than three times since January 1st, 2017. Based on the response given when using thttp with the Firefox 98.0 User-Agent.
- 60/197 domains have a Content-Security-Policy in the response headers
- 9/60 have
- 3/60 have
default-src: selfset (and only
- 10/60 have
unsafe-inlinein the policy
- 8/60 have
unsafe-evalin the policy
- addons.mozilla.org is the only domain that has default-src set to none or self, and doesn't include unsafe-eval or unsafe-inline
Feel free to download the list of domains for your own analysis.