Content Security Policy is used by a web server to declare a list of trusted content types (images, scripts, media etc) and origins from which they can be safely loaded as intended by the website authors. The Content-Security-Policy-Report-Only header instruct the browser to enable CSP in enforcement mode.

Reference...

We have seen 4106 websites setting the Content-Security-Policy HTTP header and 8635 unique values of this header.

  • ipsec.pl connect-src http://ajax.googleapis.com https://api.mixpanel.com http://api.mixpanel.com 'self' ; child-src 'none' ; font-src https://fonts.gstatic.com data: 'self' https://ipsec.pl ; form-action https://bitpay.com 'self' ; frame-ancestors about ; frame-src https://platform.twitter.com https://googleads.g.doubleclick.net https://disqus.com http://disqus.com http://static.ak.facebook.com https://s-static.ak.facebook.com http://googleads.g.doubleclick.net https://accounts.google.com https://apis.google.com http://www.facebook.com https://www.facebook.com https://docs.google.com ; img-src https://bitpay.com https://www.paypalobjects.com data: https://ddfnmo6ev4fd.cloudfront.net https://syndication.twitter.com http://ssl.gstatic.com https://ssl.gstatic.com http://www.google-analytics.com 'self' https://licensebuttons.net https://cdn.mxpnl.com https://i.creativecommons.org http://webcookies.org http://i.creativecommons.org https://referrer.disqus.com https://a.disquscdn.com http://referrer.disqus.com http://a.disquscdn.com https://cspbuilder.info http://ipsec.pl https://pagead2.googlesyndication.com https://ipsec.pl http://www.userfriendly.org http://www.commoncriteriaportal.org https://translate.googleapis.com https://www.google.com http://books.google.com http://www.isaca.org.pl ; media-src 'none' ; object-src http://www.gstatic.com https://www.gstatic.com ; script-src 'unsafe-eval' 'unsafe-inline' 'self' http://ajax.googleapis.com https://connect.facebook.net https://platform.twitter.com https://pagead2.googlesyndication.com https://ipsecpl.disqus.com https://cdn.mxpnl.com https://a.disquscdn.com http://pagead2.googlesyndication.com https://apis.google.com http://cdn.mxpnl.com http://echelonpl.disqus.com http://a.disquscdn.com http://connect.facebook.net http://kabardianscom.disqus.com http://www.google-analytics.com https://translate.googleapis.com https://ipsec.pl ; style-src https://fonts.googleapis.com 'unsafe-eval' 'self' https://a.disquscdn.com http://a.disquscdn.com 'unsafe-inline' https://ipsec.pl https://translate.googleapis.com ; default-src 'none' ; strict-mixed-content-checking; reflected-xss filter; referrer origin-when-cross-origin;
  • www.snapchat.com default-src 'self'; img-src 'self' https://app.snapchat.com https://www.google-analytics.com https://googleads.g.doubleclick.net https://lh3.googleusercontent.com https://maps.googleapis.com https://maps.gstatic.com https://csi.gstatic.com/csi https://stats.g.doubleclick.net https://storage.googleapis.com blob: data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; script-src 'self' https://www.google-analytics.com https://maps.googleapis.com https://www.gstatic.com https://gstatic.com https://www.google.com https://www.googleadservices.com https://sc-static.net https://www.youtube.com https://s.ytimg.com; font-src 'self' data: https://fonts.gstatic.com https://fonts.googleapis.com; frame-src 'self' https://www.youtube.com https://www.google.com https://googleads.g.doubleclick.net https://snap.adbrn.com https://tr.snapchat.com https://tr-shadow.snapchat.com https://player.vimeo.com; connect-src 'self' https://gms-carousel-dot-lookinsoclear.appspot.com https://app.snapchat.com https://geofilters-community-api.snapchat.com https://web-frontend-dot-sc-analytics.appspot.com https://zgl-s.tlnk.io https://woj-e.tlnk.io https://launch1.co https://accounts.snapchat.com https://scan.snapchat.com https://www.google-analytics.com; media-src 'self' data: blob: https://storage.googleapis.com; report-uri https://csp-central.appspot.com/report_csp
  • dnsbelgium.be default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: stats.g.doubleclick.net; frame-src 'self' platform.twitter.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' stats.g.doubleclick.net google-analytics.com ajax.googleapis.com apis.google.com platform.twitter.com; reflected-xss block
  • dn.se frame-ancestors *.dn.se *.di.se di.se
  • pornorama.com default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: *.xvideos.com *.xnxx.com *.xvideos-cdn.com *.xnxx-cdn.com *.others-cdn.com z8y8f3q6.ssl.hwcdn.net https://www.xvideos.com https://wg-xvdev.xvideos.com *.trafficfactory.biz fonts.googleapis.com fonts.gstatic.com ajax.googleapis.com www.google-analytics.com *.addthis.com *.addthisedge.com www.iwanttodeliver.com apis.google.com www.google.com www.gstatic.com accounts.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ www.sex.com *.lswcdn.net *.llnwd.net *.hwcdn.net fcm.googleapis.com wss://chat-group-test-master.xvideos.com wss://chat-group-test-connection.xvideos.com wss://chat-private-master.xvideos.com wss://chat-private-connection1.xvideos.com wss://chat-private-connection11.xvideos.com wss://chat-private-connection12.xvideos.com wss://chat-private-connection13.xvideos.com wss://chat-private-connection14.xvideos.com wss://chat-private-connection15.xvideos.com wss://chat-private-connection16.xvideos.com wss://chat-private-connection17.xvideos.com wss://chat-private-connection18.xvideos.com wss://chat-private-connection19.xvideos.com wss://chat-private-connection110.xvideos.com wss://chat-private-connection111.xvideos.com wss://chat-private-connection112.xvideos.com wss://chat-private-connection113.xvideos.com wss://chat-private-connection114.xvideos.com wss://chat-private-connection115.xvideos.com wss://chat-private-connection2.xvideos.com wss://chat-private-connection21.xvideos.com wss://chat-private-connection22.xvideos.com wss://chat-private-connection23.xvideos.com wss://chat-private-connection24.xvideos.com wss://chat-private-connection25.xvideos.com wss://chat-private-connection26.xvideos.com wss://chat-private-connection27.xvideos.com wss://chat-private-connection28.xvideos.com wss://chat-private-connection29.xvideos.com wss://chat-private-connection210.xvideos.com wss://chat-private-connection211.xvideos.com wss://chat-private-connection212.xvideos.com wss://chat-private-connection213.xvideos.com wss://chat-private-connection214.xvideos.com wss://chat-private-connection215.xvideos.com wss://chat-private-connection3.xvideos.com wss://chat-private-connection31.xvideos.com wss://chat-private-connection32.xvideos.com wss://chat-private-connection33.xvideos.com wss://chat-private-connection34.xvideos.com wss://chat-private-connection35.xvideos.com wss://chat-private-connection36.xvideos.com wss://chat-private-connection37.xvideos.com wss://chat-private-connection38.xvideos.com wss://chat-private-connection39.xvideos.com wss://chat-private-connection5.xvideos.com wss://chat-private-connection51.xvideos.com wss://chat-private-connection52.xvideos.com wss://chat-private-connection53.xvideos.com wss://chat-private-connection54.xvideos.com wss://chat-private-connection55.xvideos.com wss://chat-private-connection56.xvideos.com wss://chat-private-connection57.xvideos.com wss://chat-private-connection58.xvideos.com wss://chat-private-connection59.xvideos.com wss://chat-private-connection510.xvideos.com wss://chat-private-connection511.xvideos.com wss://chat-private-connection512.xvideos.com wss://chat-private-connection513.xvideos.com wss://chat-private-connection514.xvideos.com wss://chat-private-connection515.xvideos.com https://chat-group-test-master.xvideos.com https://chat-group-test-connection.xvideos.com https://chat-private-master.xvideos.com https://chat-private-connection1.xvideos.com https://chat-private-connection11.xvideos.com https://chat-private-connection12.xvideos.com https://chat-private-connection13.xvideos.com https://chat-private-connection14.xvideos.com https://chat-private-connection15.xvideos.com https://chat-private-connection16.xvideos.com https://chat-private-connection17.xvideos.com https://chat-private-connection18.xvideos.com https://chat-private-connection19.xvideos.com https://chat-private-connection110.xvideos.com https://chat-private-connection111.xvideos.com https://chat-private-connection112.xvideos.com https://chat-private-connection113.xvideos.com https://chat-private-connection114.xvideos.com https://chat-private-connection115.xvideos.com https://chat-private-connection2.xvideos.com https://chat-private-connection21.xvideos.com https://chat-private-connection22.xvideos.com https://chat-private-connection23.xvideos.com https://chat-private-connection24.xvideos.com https://chat-private-connection25.xvideos.com https://chat-private-connection26.xvideos.com https://chat-private-connection27.xvideos.com https://chat-private-connection28.xvideos.com https://chat-private-connection29.xvideos.com https://chat-private-connection210.xvideos.com https://chat-private-connection211.xvideos.com https://chat-private-connection212.xvideos.com https://chat-private-connection213.xvideos.com https://chat-private-connection214.xvideos.com https://chat-private-connection215.xvideos.com https://chat-private-connection3.xvideos.com https://chat-private-connection31.xvideos.com https://chat-private-connection32.xvideos.com https://chat-private-connection33.xvideos.com https://chat-private-connection34.xvideos.com https://chat-private-connection35.xvideos.com https://chat-private-connection36.xvideos.com https://chat-private-connection37.xvideos.com https://chat-private-connection38.xvideos.com https://chat-private-connection39.xvideos.com https://chat-private-connection5.xvideos.com https://chat-private-connection51.xvideos.com https://chat-private-connection52.xvideos.com https://chat-private-connection53.xvideos.com https://chat-private-connection54.xvideos.com https://chat-private-connection55.xvideos.com https://chat-private-connection56.xvideos.com https://chat-private-connection57.xvideos.com https://chat-private-connection58.xvideos.com https://chat-private-connection59.xvideos.com https://chat-private-connection510.xvideos.com https://chat-private-connection511.xvideos.com https://chat-private-connection512.xvideos.com https://chat-private-connection513.xvideos.com https://chat-private-connection514.xvideos.com https://chat-private-connection515.xvideos.com;img-src 'self' 'unsafe-inline' data: *.xvideos.com *.xnxx.com *.xvideos-cdn.com *.xnxx-cdn.com *.others-cdn.com *.hwcdn.net *.trafficfactory.biz www.google.com www.google-analytics.com ssl.gstatic.com;
  • ravelry.com script-src 'self' 'unsafe-inline' 'unsafe-eval' *.ravelry.com https://www.ravelry.com *.ravelrycache.com https://apis.google.com https://www.amazon.com https://www.dropbox.com *.googleapis.com https://*.googleapis.com *.google-analytics.com https://www.google.com *.gstatic.com https://maps.gstatic.com maps.googleapis.com maps.google.com bam.nr-data.net *.newrelic.com platform.twitter.com connect.facebook.net *.facebook.com *.pinterest.com https://*.pinterest.com; object-src 'self' *.ravelry.com *.macromedia.com *.etsy.com *.youtube.com *.vimeo.com *.vimeocdn.com *.gstatic.com; frame-src 'self' https://*.facebook.com https://www.amazon.com https://*.buffer.com https://docs.google.com https://accounts.google.com https://player.vimeo.com *.vimeo.com https://*.vimeo.com *.vimeocdn.com *.youtube.com vine.co *.google.com *.twitter.com *.facebook.com *.pinterest.com chromenull://* chromeinvoke://* webviewprogressproxy://*; connect-src 'self' *.ravelry.com https://www.ravelry.com ws://websocket.ravelry.com ws://websocket2.ravelry.com ws://websocket3.ravelry.com translate.googleapis.com; report-uri http://csp-reports.ravelry.com/
  • arstechnica.com default-src https: data: 'unsafe-inline' 'unsafe-eval'; child-src https: data: blob:; connect-src https: data: blob:; font-src https: data:; img-src https: data:; media-src blob: https:; object-src https:; script-src https: data: blob: 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline'; block-all-mixed-content; upgrade-insecure-requests
  • slando.ua default-src * 'unsafe-eval' 'unsafe-inline' data:; frame-ancestors 'self' app.optimizely.com apps.facebook.com fonts.googleapis.com
  • futureshop.ca frame-ancestors http://*.bestbuy.com https://*.bestbuy.com http://*.bestbuy.ca https://*.bestbuy.ca https://*.google.com https://*.gstatic.com https://*.adobemc.com https://*.adobe.com
  • alamaula.com connect-src * 'self'
  • gigas.com default-src * http: https:; style-src 'self' 'unsafe-inline' http: https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' http: https:; frame-ancestors 'self' *.gigas.com;img-src data: 'self' 'unsafe-inline' 'unsafe-eval' http: https:;
  • www.google.com script-src 'nonce-vFgafEk+Iti1fhKERd+u67hC78I' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/recaptcha/1
  • www.wp.pl block-all-mixed-content; report-uri /v1/csplog
  • www.youtube.com connect-src https:; default-src 'self' 'unsafe-inline' 'unsafe-eval' https:; img-src https: data:; media-src https: blob:; report-uri https://www.youtube.com/csp_204?t=ehttps&vcs=99ff3a392afaacabcaa34b4d484565b1&plabel=youtube.ytfe.desktop_20180620_9_RC1&pcl=201537729
  • national-lottery.co.uk default-src 'self'; script-src 'self' 'unsafe-eval' tags.tiqcdn.com tealium.hs.llnwd.net e8091.b.akamaiedge.net connect.facebook.net platform.twitter.com *.maxymiser.net *.maxymiser.com *.turn.com camelotcdn.abaresearch.uk prf.hn *.egaincloud.net *.twimg.com d2oh4tlt9mrke9.cloudfront.net ws.sessioncam.com www.google.com www.gstatic.com; style-src 'self' 'unsafe-inline' camelotcdn.abaresearch.uk *.maxymiser.com *.maxymiser.net prf.hn *.egaincloud.net *.twitter.com; frame-src 'self' https://payments1.national-lottery.co.uk https://payments2.national-lottery.co.uk *.doubleclick.net *.tealiumiq.com www.youtube.com platform.twitter.com twitter.com static.ak.facebook.com s-static.ak.facebook.com www.facebook.com *.maxymiser.net *.maxymiser.com qgen.abaresearch.co.uk *.egaincloud.net www.google.com; img-src 'self' camelot.d3.sc.omtrdc.net *.turn.com *.maxymiser.com *.maxymiser.net camelotcdn.abaresearch.uk prf.hn *.egaincloud.net *.twitter.com *.twimg.com www.facebook.com ws.sessioncam.com blob:; connect-src 'self' camelotcdn.abaresearch.uk *.egaincloud.net *.tealiumiq.com ws.sessioncam.com
  • zomato.com frame-ancestors 'self'; default-src *; font-src * data:; img-src * data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.cloudflare.com *.twitter.com *.recruiterbox.com *.zdev.net *.zdev.net:8080 *.zomato.com *.tinymce.com *.gstatic.com *.googleapis.com *.google.com *.facebook.com sdk.accountkit.com *.doubleclick.net *.nr-data.net *.newrelic.com *.google-analytics.com *.akamaihd.net *.zmtcdn.com *.googletagmanager.com *.facebook.net *.googleadservices.com *.cdninstagram.com *.googlesyndication.com *.inspectlet.com *.spreedly.com *.instagram.com *.twimg.com *.mouseflow.com *.usersnap.com d3mvnvhjmkxpjz.cloudfront.net *.serving-sys.com *.sushissl.com *.pubnub.com tsgw.tataelxsi.co.in *.branch.io app.link *.ravenjs.com cdn.poll-maker.com *.ampproject.org *.smartlook.com *.hotjar.com *.zba.se; style-src * 'unsafe-inline';
  • airbnb.com default-src 'self' https:; connect-src 'self' https: ws://localhost.airbnb.com:8888 *.inspectlet.com wss://ws.inspectlet.com http:; font-src 'self' data: *.muscache.com fonts.gstatic.com use.typekit.net; frame-src *; img-src 'self' https: *.inspectlet.com http: data:; media-src 'self' https:; object-src 'self' https:; script-src 'sha256-2S1zmL0hHGfsnw+rP+m+rBKOma7sejqhykg8DdWFKfU=' 'sha256-e+WZxCf+T3EsxjWDrJZxp6YDUoZRzlAHxJG4rUsY8Zg=' 'self' https: 'unsafe-eval' 'unsafe-inline' *.inspectlet.com http:; style-src 'self' https: 'unsafe-inline' http:; report-uri /tracking/csp?action=show&controller=homepages&req_uuid=3da7081f-1ccc-4e69-9ca5-8dbbf385a184&version=93f2b51fe672047cebf973068c99df96a0c03fbf;
  • yandex.net default-src 'self' 'unsafe-inline' 'unsafe-eval' wss://portal-xiva.yandex.net *.yandex.ru yandex.ru *.yandex.net https://*.yandex.ru https://yandex.ru https://*.yandex.net yandex.st yastatic.net *.yastatic.net ws://portal-xiva.yandex.net wss://portal-xiva.yandex.net wss://push.yandex.ru; img-src data: 'self' awaps.yandex.ru https://awaps.yandex.ru *.yandex.ru *.tns-counter.ru *.gemius.pl https://*.yandex.ru https://*.tns-counter.ru https://*.gemius.pl yandex.st *.yandex.net yastatic.net *.yastatic.net; report-uri http://www.yandex.ru/log/csp?from=big.ru&showid=22855.28011.1424727371.62533&h=a10&yu=3432397661424727372;
  • www.cnn.com default-src 'self' http://*.cnn.com:* https://*.cnn.com:* *.cnn.net:* *.turner.com:* *.ugdturner.com:* *.vgtf.net:*; script-src 'unsafe-inline' 'unsafe-eval' 'self' *; style-src 'unsafe-inline' 'self' *; frame-src 'self' *; object-src 'self' *; img-src 'self' *; media-src 'self' *; font-src 'self' *; connect-src 'self' *;
  • www.nytimes.com default-src data: 'unsafe-inline' 'unsafe-eval' https:; script-src data: 'unsafe-inline' 'unsafe-eval' https: blob:; style-src data: 'unsafe-inline' https:; img-src data: https: blob:; font-src data: https:; connect-src https: wss:; media-src https: blob:; object-src https:; child-src https: data: blob:; form-action https:; block-all-mixed-content;
  • www.washingtonpost.com upgrade-insecure-requests
  • www.theguardian.com default-src https:; script-src https: 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline'; img-src https: data: blob:; media-src https: data: blob:; font-src https: data:; connect-src https: wss:
  • www.rtbf.be upgrade-insecure-requests
  • www.telegraph.co.uk upgrade-insecure-requests;
  • www.bild.de upgrade-insecure-requests
Fully automated RESTful API is now available. Subscribe for your free trial today!