Brenton Cleeland

In a sample of 200 domains that have been popular on Hacker News in the last few years only 3% have a Content-Security-Policy with default-src: none;. I really thought that this had become a security sensible default but obviously that's not the case.