Content Security Policy is used by a web server to declare a list of trusted content types (images, scripts, media etc) and origins from which they can be safely loaded as intended by the website authors. The Content-Security-Policy-Report-Only header instruct the browser to enable CSP in enforcement mode.

Reference...

We have seen 4094 websites setting the Content-Security-Policy HTTP header and 8621 unique values of this header.

  • www.expressen.se upgrade-insecure-requests;
  • www.tagesanzeiger.ch upgrade-insecure-requests
  • m.facebook.com default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' fbstatic-a.akamaihd.net fbcdn-static-b-a.akamaihd.net *.atlassolutions.com blob: data:;style-src data: 'unsafe-inline' *;connect-src *.facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* *.akamaihd.net wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* *.atlassolutions.com attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com chrome-extension://boadgeojelhgndaghljhdicfkmllpafd chrome-extension://dliochdbjfkdbacpmhlcpmleaejidimm;
  • www.smh.com.au upgrade-insecure-requests;
  • isport.blesk.cz upgrade-insecure-requests; default-src https: blob: wss:; script-src https: 'unsafe-inline' 'unsafe-eval' blob:; style-src https: 'unsafe-inline'; img-src https: data: blob:; media-src https: blob: data:;frame-src https: blob: data:; report-uri /cspreports
  • www.forbes.com upgrade-insecure-requests
  • restaurace.cz default-src 'self' 'unsafe-inline' 'unsafe-eval' *
  • www.facebook.com default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' fbstatic-a.akamaihd.net fbcdn-static-b-a.akamaihd.net *.atlassolutions.com blob: data:;style-src data: 'unsafe-inline' *;connect-src *.facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* *.akamaihd.net wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* *.atlassolutions.com attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com;
  • nypost.com frame-ancestors *.nypost.com *.decider.com *.pagesix.com http://www.stumbleupon.com https://www.stumbleupon.com
  • www.vox.com default-src https: data: 'unsafe-inline' 'unsafe-eval'; child-src https: data: blob:; connect-src https: data: blob:; font-src https: data:; img-src https: data: blob:; media-src https: data: blob:; object-src https:; script-src https: data: blob: 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline'; block-all-mixed-content; upgrade-insecure-requests
  • tempsreel.nouvelobs.com default-src data: 'unsafe-inline' 'unsafe-eval' https:; script-src data: 'unsafe-inline' 'unsafe-eval' https: blob:; style-src data: 'unsafe-inline' https:; img-src data: https: blob:; font-src data: https:; connect-src https: wss:; media-src https: blob:; object-src https:; child-src https: data: blob:; form-action https:; block-all-mixed-content;
  • www.ad.nl default-src https: blob:; script-src 'unsafe-inline' 'unsafe-eval' https:; style-src 'unsafe-inline' https:; img-src data: https: blob: android-webview android-webview-video-poster:; font-src data: https:; connect-src *; media-src https: data: blob:; worker-src https: blob:; upgrade-insecure-requests;
  • www.demorgen.be default-src https:; script-src 'unsafe-inline' 'unsafe-eval' https:; style-src 'unsafe-inline' https:; img-src data: https: blob: android-webview-video-poster:; font-src data: https:; connect-src *; media-src https: data: blob:; upgrade-insecure-requests;
  • sites.google.com script-src 'report-sample' 'nonce-yVIZmVSg/j6MnFjRwzmzjFvF2Aw' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /cspreport
  • thriftyniftymommy.com upgrade-insecure-requests
  • postergully.myshopify.com block-all-mixed-content; upgrade-insecure-requests; report-uri /csp-report?source%5Baction%5D=index&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=9f9e488e-ae48-41fc-be16-433a971aef1f
  • recipesforourdailybread.com block-all-mixed-content
  • moyou.co.uk block-all-mixed-content; upgrade-insecure-requests; report-uri /csp-report?source%5Baction%5D=index&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=67ac6ec1-8315-4aa3-baf7-d30ee082cb95
  • appraisalinstitute.org *
  • www.infobae.com upgrade-insecure-requests; media-src https: blob:; child-src https: blob:; default-src https: wss: 'unsafe-inline' 'unsafe-eval' data:; font-src https: data:; img-src https: data:;, upgrade-insecure-requests; media-src https: blob:; child-src https: blob:; default-src https: wss: 'unsafe-inline' 'unsafe-eval' data:; font-src https: data:; img-src https: data:;, upgrade-insecure-requests; media-src https: blob:; child-src https: blob:; default-src https: wss: 'unsafe-inline' 'unsafe-eval' data:; font-src https: data:; img-src https: data:;, upgrade-insecure-requests; media-src https: blob:; child-src https: blob:; default-src https: wss: 'unsafe-inline' 'unsafe-eval' data:; font-src https: data:; img-src https: data:;
  • kotaku.com frame-ancestors https://www.stumbleupon.com/
  • www.publico.pt upgrade-insecure-requests;
  • www.denverpost.com default-src data: 'unsafe-inline' 'unsafe-eval' https:; script-src data: 'unsafe-inline' 'unsafe-eval' https: blob:; style-src 'unsafe-inline' https:; img-src data: https: blob:; font-src data: https:; connect-src https: data: blob:; media-src blob: data: https:; object-src https:; child-src https: data: blob:; upgrade-insecure-requests; block-all-mixed-content;
  • www.tv.com frame-ancestors 'self';
  • www.usatoday.com upgrade-insecure-requests
Fully automated RESTful API is now available. Subscribe for your free trial today!