Legacy and deprecated variant of the Content-Security-Policy header used by WebKit browsers in the initial period.

Reference...

We have seen 652 websites setting the X-Content-Security-Policy HTTP header and 378 unique values of this header.

  • alamaula.com connect-src * 'self'
  • national-lottery.co.uk default-src 'self'; script-src 'self' tags.tiqcdn.com tealium.hs.llnwd.net e8091.b.akamaiedge.net connect.facebook.net platform.twitter.com *.maxymiser.net *.maxymiser.com *.turn.com camelotcdn.abaresearch.uk prf.hn *.egaincloud.net *.twimg.com d2oh4tlt9mrke9.cloudfront.net ws.sessioncam.com www.google.com www.gstatic.com; frame-src 'self' https://payments1.national-lottery.co.uk https://payments2.national-lottery.co.uk *.doubleclick.net *.tealiumiq.com www.youtube.com platform.twitter.com twitter.com static.ak.facebook.com s-static.ak.facebook.com www.facebook.com *.maxymiser.net *.maxymiser.com qgen.abaresearch.co.uk *.egaincloud.net www.google.com; options eval-script; img-src 'self' camelot.d3.sc.omtrdc.net *.turn.com *.maxymiser.com *.maxymiser.net camelotcdn.abaresearch.uk prf.hn *.egaincloud.net *.twitter.com *.twimg.com www.facebook.com ws.sessioncam.com blob: data:;
  • antonveneta.it allow *; options inline-script eval-script; frame-ancestors 'self';
  • wineanthology.com frame-ancestors 'self'
  • seeusnaked.tumblr.com sandbox
  • whatshouldwecallgradschool.tumblr.com sandbox
  • softbesplatno.net default-src 'self'; img-src 'self' data: www.google-analytics.com bs.yandex.ru img.yandex.net wimg.yandex.net sync.audtd.com imgg.tovarro.com track.rtb-media.ru *.hotlog.ru counter.yadro.ru *.marketgid.com counter.tovarro.com mg.yadro.ru front.facetz.net chart.apis.google.com d7.c2.b3.a2.top.mail.ru *.mail.ru; style-src 'self' 'unsafe-inline'; script-src blob: www.google-analytics.com mc.yandex.ru jsc.dt00.net *.marketgid.com 'self' 'unsafe-inline' 'unsafe-eval'; frame-src www.youtube.com https://www.youtube.com 'self'; object-src 'self' www.youtube.com https://s.ytimg.com https://*.googlevideo.com https://www.youtube.com https://s.youtube.com gdata.youtube.com i.ytimg.com; font-src 'self'; connect-src 'self' mc.yandex.ru;
  • geekandsundry.com frame-ancestors 'none'
  • evp.lt script-src 'self' maps.googleapis.com; style-src 'self' fonts.googleapis.com; report-uri /csp-violations/report
  • hertz.com.au frame-ancestors 'self'
  • redmayhem.tumblr.com sandbox
  • pohtpof.tumblr.com sandbox
  • twistedthoughtsofmine.tumblr.com sandbox
  • lenoxhillhospital.org default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' connect.facebook.net www.google-analytics.com cdn.optimizely.com www.bugherd.com sjrtp4-cdn.marketo.com www.googletagmanager.com cdn.callrail.com cdn-akamai.mookie1.com secure-ds.serving-sys.com munchkin.marketo.net *.calltrk.com tags.tiqcdn.com bs.serving-sys.com *.marketo.com app.callrail.com *.jwpcdn.com www.youtube.com *.addthis.com m.addthisedge.com s.ytimg.com graph.facebook.com widgets.pinterest.com *.googleapis.com use.typekit.net *.northwell.edu video.limelight.com *.delvenetworks.com static.addtoany.com malihu.github.io ajax.aspnetcdn.com s.gravatar.com *.wp.com calltrk-production.s3.amazonaws.com *.googleadservices.com ajax.microsoft.com code.jquery.com api.html5media.info *.cloudfront.net *.jwpcdn.com *.newrelic.com bam.nr-data.net tagmanager.google.com *.surveymonkey.com console.brightwhistle.com js.callrail.com content.healthwise.net *.licdn.com *.linkedin.com *.bizographics.com *.influencehealth.com *.adnxs.com; object-src 'self' video.limelight.com assets.delvenetworks.com; style-src 'self' 'unsafe-inline' rtp-static.marketo.com *.googleapis.com *.bootstrapcdn.com *.northwell.edu malihu.github.io static.addtoany.com s.gravatar.com code.jquery.com *.cloudfront.net *.surveymonkey.com *.marketo.com *.adnxs.com *.linkedin.com; img-src 'self' data: *.google-analytics.com *.g.doubleclick.net www.facebook.com www.google.com jwpltx.com api.nslijweb.com csi.gstatic.com *.googleapis.com maps.gstatic.com img.delvenetworks.com *.llnw.net m.addthis.com *.northwell.edu northwellhealt.wpengine.com *.gravatar.com *.wp.com *.northwell.io *.cloudfront.net *.amazonaws.com www.bugherd.com *.surveymonkey.com img.youtube.com *.googleadservices.com maps.googleapis.com *.mxptint.net dpm.demdex.net ad.yieldmanager.com ad.afy11.net d.agkn.com idsync.rlcdn.com *.bluekai.com *.openx.net *.rubiconproject.com *.adnxs.com sync.adaptv.advertising.com *.linkedin.com; media-src 'self' *.llnw.net *.delvenetworks.com *.llnw.com; frame-src 'self' cdn-akamai.mookie1.com tags.tiqcdn.com s7.addthis.com www.youtube.com static.addtoany.com *.doubleclick.net www.google.com *.understand.com *.marketo.com *.sli.do *.facebook.com/tr/; font-src 'self' data: themes.googleusercontent.com fonts.gstatic.com *.bootstrapcdn.com www.bugherd.com; connect-src 'self' 'unsafe-inline' 309-lvl-470.mktoresp.com sjrtp4.marketo.com m.addthis.com *.pusherapp.com *.pusher.com www.bugherd.com *.google-analytics.com api.northwell.edu content.healthwise.net *.facebook.com *.adnxs.com; report-uri /admin/config/system/seckit/csp-report
  • sendevideoizle.com script-src http://*.scorecardresearch.com 'unsafe-inline'
  • www.denkwerk.com default-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.denkwerk.com www.googletagmanager.com tagmanager.google.com www.google-analytics.com *.doubleclick.net; connect-src 'self' *.denkwerk.com; font-src 'self' *.denkwerk.com; media-src *.denkwerk.com player.vimeo.com *.vimeocdn.com gcs-vimeo.akamaized.net;
  • www.bloomberg.com upgrade-insecure-requests
  • searchingresult.com default-src 'self'; script-src 'self' 'unsafe-inline'
  • backlinkshelf.com script-src http://*.scorecardresearch.com 'unsafe-inline'
  • volusion.com default-src 'self' *.volusion.com *.optimizely.com *.vzaar.com *.wistia.com; script-src 'self' *.facebook.net *.g.doubleclick.net *.volusion.com *.wistia.com *.optimizely.com *.googleadservices.com *.googletagmanager.com *.cloudfront.net *.marketo.net *.google-analytics.com *.amazonaws.com; style-src 'self' *.webink.com *.volusion.com; font-src 'self' *.cloudfront.net; frame-src 'self' *; img-src *; object-src 'self' *.wistia.com *.vzaar.com *.loggly.com *.kuonamaoni.com *.google-analytics.com; options inline-script eval-script;
  • fatfuckfrank.org default-src 'self'; script-src 'self' 'unsafe-inline'
  • bitdefender.com.au frame-ancestors 'self' http://www.bitdefender.com.au
  • silklyrics.com script-src http://*.scorecardresearch.com 'unsafe-inline'
  • artmodelscenter.com script-src http://*.scorecardresearch.com 'unsafe-inline'
  • www.theaustralian.com.au block-all-mixed-content; style-src https: 'unsafe-inline'; script-src https: blob: 'unsafe-inline' 'unsafe-eval'; img-src https: data:; frame-src https:; report-uri https://collectors.au.sumologic.com/receiver/v1/http/ZaVnC4dhaV2fq-TmkezxDM5kD77zglzTUyrlNqPe059oQhlSBcEFmaLaBbMi5G2BkSSJjyA6wJZ-iUDLrux0ATja4lHZr94sfyyTtdVcA_GiHULLYxFY7Q==
Fully automated RESTful API is now available. Subscribe for your free trial today!