[{"id":"6a55f229282f32c00d5a5f60","ts":"2026-07-14T08:24:09.638Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://app.delightcloud.ch/vite3_test/app","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; img-src 'self' data:; script-src-elem 'self'; style-src-elem 'self' 'unsafe-inline'; worker-src 'self'; script-src ; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'self'; connect-src *; require-trusted-types-for 'script'; trusted-types default delight vue dompurify;","directives":{"connect-src":["*"],"default-src":["'self'"],"font-src":["'self'"],"frame-src":["'self'"],"img-src":["'self'","data:"],"require-trusted-types-for":["'script'"],"script-src":[],"script-src-elem":["'self'"],"style-src":["'self'","'unsafe-inline'"],"style-src-elem":["'self'","'unsafe-inline'"],"trusted-types":["default","delight","dompurify","vue"],"worker-src":["'self'"]},"directiveOrder":["default-src","img-src","script-src-elem","style-src-elem","worker-src","script-src","style-src","font-src","frame-src","connect-src","require-trusted-types-for","trusted-types"],"disposition":"enforce","delivery":"meta","sourceMapping":{"'script'":"","'self'":"keyword-source","'unsafe-inline'":"keyword-source","*":"host-source","data:":"scheme-source","default":"host-source","delight":"host-source","dompurify":"host-source","vue":"host-source"}},"disposition":"enforce","source":"meta","policies":["default-src 'self'; script-src ; script-src-elem 'self'; style-src 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline'; connect-src *; font-src 'self'; frame-src 'self'; img-src 'self' data:; trusted-types default delight dompurify vue; require-trusted-types-for 'script'; worker-src 'self';"],"stats":{"totalHigh":0,"totalMedium":4,"totalLow":7,"totalInfo":0},"recommendations":[{"title":"Unknown CSP Source","severity":"MEDIUM","directive":"require-trusted-types-for","source":"'script'","message":"Invalid source type. It is not one of the types that CSP recognizes.","recommendation":"Fix the source such that it is a valid CSP source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing object-src (with non-restrictive default-src)","severity":"MEDIUM","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"style-src-elem","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Source has unnecessary quotes","severity":"LOW","directive":"require-trusted-types-for","source":"'script'","message":"The source has quotes when it should not","recommendation":"Remove the quotes.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Length of sources is zero","severity":"LOW","directive":"script-src","source":"","message":"Most directives require a source to work.","recommendation":"Either remove the directive or add valid sources.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a55ef8e9b3483eecbc368ca","ts":"2026-07-14T08:13:02.242Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://sit-apply.cimb.com.my/","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://code.jquery.com https://stackpath.bootstrapcdn.com https://www.googletagmanager.com https://assets.adobedtm.com https://tags.crwdcntrl.net https://www.google.com https://www.gstatic.com https://www.cimbclicks.com.my https://connect.facebook.net https://cdn-akamai.mookie1.com https://tags.crwdcntrl.net; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://stackpath.bootstrapcdn.com https://fonts.googleapis.com https://use.fontawesome.com https://cdn.jsdelivr.net; font-src 'self' data: https://fonts.gstatic.com https://fonts.googleapis.com https://use.fontawesome.com https://cdn.jsdelivr.net; img-src 'self' data: https: blob:; connect-src 'self' https://*.cimb.com https://*.cimb.com.my https://*.cimbbank.com.my https://*.cimbdomain.com https://www.googletagmanager.com https://tags.crwdcntrl.net https://bcp.crwdcntrl.net https://www.google.com https://auth.kwsp.gov.my https://auth-test.epf.gov.my https://dpm.demdex.net https://cimbinvestmentbankbe.tt.omtrdc.net https://googleads.g.doubleclick.net https://cdn.jsdelivr.net; frame-src 'self' https://www.googletagmanager.com https://www.youtube.com https://www.google.com https://recaptcha.google.com; object-src 'none'; base-uri 'self'; form-action 'self' https://www.cimbclicks.com.my https://apply.cimb.com.my https://*.cimbbank.com.my; media-src 'self'; worker-src 'self' blob:; manifest-src 'self'; upgrade-insecure-requests","directives":{"base-uri":["'self'"],"connect-src":["'self'","https://*.cimb.com","https://*.cimb.com.my","https://*.cimbbank.com.my","https://*.cimbdomain.com","https://auth-test.epf.gov.my","https://auth.kwsp.gov.my","https://bcp.crwdcntrl.net","https://cdn.jsdelivr.net","https://cimbinvestmentbankbe.tt.omtrdc.net","https://dpm.demdex.net","https://googleads.g.doubleclick.net","https://tags.crwdcntrl.net","https://www.google.com","https://www.googletagmanager.com"],"default-src":["'self'"],"font-src":["'self'","data:","https://cdn.jsdelivr.net","https://fonts.googleapis.com","https://fonts.gstatic.com","https://use.fontawesome.com"],"form-action":["'self'","https://*.cimbbank.com.my","https://apply.cimb.com.my","https://www.cimbclicks.com.my"],"frame-src":["'self'","https://recaptcha.google.com","https://www.google.com","https://www.googletagmanager.com","https://www.youtube.com"],"img-src":["'self'","blob:","data:","https:"],"manifest-src":["'self'"],"media-src":["'self'"],"object-src":["'none'"],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'","https://assets.adobedtm.com","https://cdn-akamai.mookie1.com","https://cdn.jsdelivr.net","https://code.jquery.com","https://connect.facebook.net","https://stackpath.bootstrapcdn.com","https://tags.crwdcntrl.net","https://tags.crwdcntrl.net","https://www.cimbclicks.com.my","https://www.google.com","https://www.googletagmanager.com","https://www.gstatic.com"],"style-src":["'self'","'unsafe-inline'","https://cdn.jsdelivr.net","https://cdn.jsdelivr.net","https://fonts.googleapis.com","https://stackpath.bootstrapcdn.com","https://use.fontawesome.com"],"upgrade-insecure-requests":[],"worker-src":["'self'","blob:"]},"directiveOrder":["default-src","script-src","style-src","font-src","img-src","connect-src","frame-src","object-src","base-uri","form-action","media-src","worker-src","manifest-src","upgrade-insecure-requests"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","blob:":"scheme-source","data:":"scheme-source","https:":"scheme-source","https://*.cimb.com":"host-source","https://*.cimb.com.my":"host-source","https://*.cimbbank.com.my":"host-source","https://*.cimbdomain.com":"host-source","https://apply.cimb.com.my":"host-source","https://assets.adobedtm.com":"host-source","https://auth-test.epf.gov.my":"host-source","https://auth.kwsp.gov.my":"host-source","https://bcp.crwdcntrl.net":"host-source","https://cdn-akamai.mookie1.com":"host-source","https://cdn.jsdelivr.net":"host-source","https://cimbinvestmentbankbe.tt.omtrdc.net":"host-source","https://code.jquery.com":"host-source","https://connect.facebook.net":"host-source","https://dpm.demdex.net":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://googleads.g.doubleclick.net":"host-source","https://recaptcha.google.com":"host-source","https://stackpath.bootstrapcdn.com":"host-source","https://tags.crwdcntrl.net":"host-source","https://use.fontawesome.com":"host-source","https://www.cimbclicks.com.my":"host-source","https://www.google.com":"host-source","https://www.googletagmanager.com":"host-source","https://www.gstatic.com":"host-source","https://www.youtube.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://assets.adobedtm.com https://cdn-akamai.mookie1.com https://cdn.jsdelivr.net https://code.jquery.com https://connect.facebook.net https://stackpath.bootstrapcdn.com https://tags.crwdcntrl.net https://www.cimbclicks.com.my https://www.google.com https://www.googletagmanager.com https://www.gstatic.com; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://stackpath.bootstrapcdn.com https://use.fontawesome.com; object-src 'none'; base-uri 'self'; connect-src 'self' https://*.cimb.com https://*.cimb.com.my https://*.cimbbank.com.my https://*.cimbdomain.com https://auth-test.epf.gov.my https://auth.kwsp.gov.my https://bcp.crwdcntrl.net https://cdn.jsdelivr.net https://cimbinvestmentbankbe.tt.omtrdc.net https://dpm.demdex.net https://googleads.g.doubleclick.net https://tags.crwdcntrl.net https://www.google.com https://www.googletagmanager.com; font-src 'self' data: https://cdn.jsdelivr.net https://fonts.googleapis.com https://fonts.gstatic.com https://use.fontawesome.com; form-action 'self' https://*.cimbbank.com.my https://apply.cimb.com.my https://www.cimbclicks.com.my; frame-src 'self' https://recaptcha.google.com https://www.google.com https://www.googletagmanager.com https://www.youtube.com; img-src 'self' blob: data: https:; manifest-src 'self'; media-src 'self'; upgrade-insecure-requests ; worker-src 'self' blob:;"],"stats":{"totalHigh":1,"totalMedium":13,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://stackpath.bootstrapcdn.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.cimbclicks.com.my","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://assets.adobedtm.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdn-akamai.mookie1.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdn.jsdelivr.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://code.jquery.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://connect.facebook.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.google.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://tags.crwdcntrl.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.googletagmanager.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.gstatic.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"connect-src","source":"https://*.cimb.com.my","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a55e316282f32c00d5a5f47","ts":"2026-07-14T07:19:50.629Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://www-515d.aig.co.jp/","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'self' 'unsafe-hashes' 'sha256-Ai8vXeMrERDV2mQjBsYHEpuV6HIWSMYrgE9j73Iea7c=' 'sha256-M+4cO0XZ0CvFgDk5jOuynD+aSnQ7GmoNLTcTQGMxaoY=' 'sha256-hKY/iTJbcKsLoq83nzOSTq8KU0/Kv4dALiIPqdh7vlw=' 'sha256-xCxBLKccifPlOj4+TfXhQLt2JC6VO9q4Pr3OCKrxJbU=' https://assets.adobedtm.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self' https://edge.adobedc.net https://www-515d-hip11api.aig.co.jp; frame-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';","directives":{"base-uri":["'self'"],"connect-src":["'self'","https://edge.adobedc.net","https://www-515d-hip11api.aig.co.jp"],"default-src":["'self'"],"font-src":["'self'"],"form-action":["'self'"],"frame-ancestors":["'none'"],"frame-src":["'self'"],"img-src":["'self'","data:"],"object-src":["'none'"],"script-src":["'self'","'sha256-Ai8vXeMrERDV2mQjBsYHEpuV6HIWSMYrgE9j73Iea7c='","'sha256-M+4cO0XZ0CvFgDk5jOuynD+aSnQ7GmoNLTcTQGMxaoY='","'sha256-hKY/iTJbcKsLoq83nzOSTq8KU0/Kv4dALiIPqdh7vlw='","'sha256-xCxBLKccifPlOj4+TfXhQLt2JC6VO9q4Pr3OCKrxJbU='","'unsafe-hashes'","https://assets.adobedtm.com"],"style-src":["'self'","'unsafe-inline'"]},"directiveOrder":["default-src","script-src","style-src","img-src","font-src","connect-src","frame-src","object-src","frame-ancestors","base-uri","form-action"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'sha256-Ai8vXeMrERDV2mQjBsYHEpuV6HIWSMYrgE9j73Iea7c='":"hash-source","'sha256-M+4cO0XZ0CvFgDk5jOuynD+aSnQ7GmoNLTcTQGMxaoY='":"hash-source","'sha256-hKY/iTJbcKsLoq83nzOSTq8KU0/Kv4dALiIPqdh7vlw='":"hash-source","'sha256-xCxBLKccifPlOj4+TfXhQLt2JC6VO9q4Pr3OCKrxJbU='":"hash-source","'unsafe-hashes'":"keyword-source","'unsafe-inline'":"keyword-source","data:":"scheme-source","https://assets.adobedtm.com":"host-source","https://edge.adobedc.net":"host-source","https://www-515d-hip11api.aig.co.jp":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self' 'sha256-Ai8vXeMrERDV2mQjBsYHEpuV6HIWSMYrgE9j73Iea7c=' 'sha256-M+4cO0XZ0CvFgDk5jOuynD+aSnQ7GmoNLTcTQGMxaoY=' 'sha256-hKY/iTJbcKsLoq83nzOSTq8KU0/Kv4dALiIPqdh7vlw=' 'sha256-xCxBLKccifPlOj4+TfXhQLt2JC6VO9q4Pr3OCKrxJbU=' 'unsafe-hashes' https://assets.adobedtm.com; style-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; connect-src 'self' https://edge.adobedc.net https://www-515d-hip11api.aig.co.jp; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src 'self'; img-src 'self' data:;"],"stats":{"totalHigh":0,"totalMedium":2,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://assets.adobedtm.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a55e1bf9b3483eecbc368ad","ts":"2026-07-14T07:14:07.098Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://ebank.hkbea.com.cn","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; base-uri 'self'; form-action 'self'; font-src 'self' *.hkbea.com.cn data:; img-src 'self' *.hkbea.com.cn data:; script-src 'self' 'report-sample'; style-src 'self' 'report-sample'; connect-src 'self' *.hkbea.com.cn; object-src 'self'; media-src 'self' *.hkbea.com.cn; report-uri 'self' *.hkbea.com.cn","directives":{"base-uri":["'self'"],"connect-src":["'self'","*.hkbea.com.cn"],"default-src":["'self'"],"font-src":["'self'","*.hkbea.com.cn","data:"],"form-action":["'self'"],"img-src":["'self'","*.hkbea.com.cn","data:"],"media-src":["'self'","*.hkbea.com.cn"],"object-src":["'self'"],"report-uri":["'self'","*.hkbea.com.cn"],"script-src":["'report-sample'","'self'"],"style-src":["'report-sample'","'self'"]},"directiveOrder":["default-src","base-uri","form-action","font-src","img-src","script-src","style-src","connect-src","object-src","media-src","report-uri"],"disposition":"enforce","delivery":"header","sourceMapping":{"'report-sample'":"keyword-source","'self'":"keyword-source","*.hkbea.com.cn":"host-source","data:":"scheme-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'report-sample' 'self'; style-src 'report-sample' 'self'; object-src 'self'; base-uri 'self'; connect-src 'self' *.hkbea.com.cn; font-src 'self' *.hkbea.com.cn data:; form-action 'self'; img-src 'self' *.hkbea.com.cn data:; media-src 'self' *.hkbea.com.cn; report-uri 'self' *.hkbea.com.cn;"],"stats":{"totalHigh":0,"totalMedium":0,"totalLow":0,"totalInfo":0},"recommendations":[]},{"id":"6a55deb59b3483eecbc368a9","ts":"2026-07-14T07:01:09.193Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://eng.hkbea.com.cn","isHidden":false,"parsedPolicy":{"policy":"default-src self; font-src *; img-src * data: ; script-src 'report-sample' 'self' ; style-src * 'report-sample' 'self' ; form-action 'self' ; connect-src *; object-src 'self' ; frame-src *; media-src * ; report-uri *; base-uri self","directives":{"base-uri":["self"],"connect-src":["*"],"default-src":["self"],"font-src":["*"],"form-action":["'self'"],"frame-src":["*"],"img-src":["*","data:"],"media-src":["*"],"object-src":["'self'"],"report-uri":["*"],"script-src":["'report-sample'","'self'"],"style-src":["'report-sample'","'self'","*"]},"directiveOrder":["default-src","font-src","img-src","script-src","style-src","form-action","connect-src","object-src","frame-src","media-src","report-uri","base-uri"],"disposition":"enforce","delivery":"header","sourceMapping":{"'report-sample'":"keyword-source","'self'":"keyword-source","*":"host-source","data:":"scheme-source","self":"keyword-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'report-sample' 'self'; style-src 'report-sample' 'self' *; object-src 'self'; base-uri 'self'; connect-src *; font-src *; form-action 'self'; frame-src *; img-src * data:; media-src *; report-uri *;"],"stats":{"totalHigh":0,"totalMedium":0,"totalLow":0,"totalInfo":0},"recommendations":[]},{"id":"6a55de9e282f32c00d5a5f45","ts":"2026-07-14T07:00:46.342Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://www.hkbea.com.cn","isHidden":false,"parsedPolicy":{"policy":"default-src self; font-src *; img-src * data: ; script-src 'report-sample' 'self' ; style-src * 'report-sample' 'self' ; form-action 'self' ; connect-src *; object-src 'self' ; frame-src *; media-src * ; report-uri *; base-uri self","directives":{"base-uri":["self"],"connect-src":["*"],"default-src":["self"],"font-src":["*"],"form-action":["'self'"],"frame-src":["*"],"img-src":["*","data:"],"media-src":["*"],"object-src":["'self'"],"report-uri":["*"],"script-src":["'report-sample'","'self'"],"style-src":["'report-sample'","'self'","*"]},"directiveOrder":["default-src","font-src","img-src","script-src","style-src","form-action","connect-src","object-src","frame-src","media-src","report-uri","base-uri"],"disposition":"enforce","delivery":"header","sourceMapping":{"'report-sample'":"keyword-source","'self'":"keyword-source","*":"host-source","data:":"scheme-source","self":"keyword-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'report-sample' 'self'; style-src 'report-sample' 'self' *; object-src 'self'; base-uri 'self'; connect-src *; font-src *; form-action 'self'; frame-src *; img-src * data:; media-src *; report-uri *;"],"stats":{"totalHigh":0,"totalMedium":0,"totalLow":0,"totalInfo":0},"recommendations":[]},{"id":"6a55c1349b3483eecbc368a3","ts":"2026-07-14T04:55:16.884Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://bentleymotors.com","isHidden":false,"parsedPolicy":{"policy":"default-src 'self' https://gateway.zscloud.net;\n object-src 'self';\n script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: https://app.usercentrics.eu https://maps.googleapis.com http://*.addthis.com https://*.baidu.com https://www.googletagmanager.com https://googletagmanager.com https://*.googletagmanager.com https://tagmanager.google.com https://www.google-analytics.com https://ssl.google-analytics.com https://www.googleadservices.com https://www.google.com https://*.doubleclick.net https://static.ads-twitter.com https://connect.facebook.net https://sc-static.net https://snap.licdn.com https://*.snapchat.com https://*.fullstory.com https://*.fullstory.com https://gateway.zscloud.net https://analytics.tiktok.com https://c.amazon-adsystem.com https://s.pinimg.com https://p.teads.tv https://ads-engagement.presage.io https://www.redditstatic.com https://ct.pinterest.com https://scripts.psyma.com https://*.go-mpulse.net https://*.seznam.cz https://s2.adform.net https://track.adform.net;\n style-src 'self' 'unsafe-inline' blob: https://fonts.googleapis.com https://googletagmanager.com https://tagmanager.google.com https://gateway.zscloud.net https://www.googletagmanager.com;\n font-src 'self' https://fonts.gstatic.com;\n connect-src 'self' https://*.bentley-motors.co.uk https://*.bentleymotors.com https://api.friendlycaptcha.com https://*.usercentrics.eu https://*.uplynk.com https://maps.googleapis.com https://*.baidu.com https://www.google.com https://*.doubleclick.net https://px.ads.linkedin.com https://*.snapchat.com https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.g.doubleclick.net https://*.google.com https://*.google.de https://*.fullstory.com https://www.facebook.com https://analytics.tiktok.com https://*.googlesyndication.com https://ct.pinterest.com https://*.teads.tv https://ara.paa-reporting-advertising.amazon https://conversions-config.reddit.com https://*.amazon-adsystem.com https://www.redditstatic.com https://pixel-config.reddit.com https://*.go-mpulse.net https://*.akstat.io https://api.mtkconnect.io https://*.akamaihd.net wss://*.avp.tech https://*.avp.tech https://kinesisvideo.eu-west-1.amazonaws.com wss://*.kinesisvideo.eu-west-1.amazonaws.com https://*.kinesisvideo.eu-west-1.amazonaws.com https://analytics-ipv6.tiktokw.us https://www.googleadservices.com https://*.adobeaemcloud.com https://s.pinimg.com https://*.seznam.cz;\n frame-src https://*.doubleclick.net https://*.snapchat.com https://*.g.doubleclick.net https://www.youtube.com https://gateway.zscloud.net https://www.googletagmanager.com https://ct.pinterest.com https://*.amazon-adsystem.com https://fledge.teads.tv https://*.avp.tech https://grp.volkswagenag.com 'self' https://*.frcapi.com;\n media-src 'self' blob: https://*.uplynk.com https://delivery-p153381-e1601885.adobeaemcloud.com https://*.adobeaemcloud.com;\n img-src 'self' data: https://*.usercentrics.eu https://maps.gstatic.com https://maps.googleapis.com https://www.google.com https://www.google.de https://www.bentleymotors.com https://*.bentleymotors.com https://bentley-webref.they-code.de https://*.baidu.com https://t.co https://analytics.twitter.com https://px.ads.linkedin.com https://*.google-analytics.com https://www.google-analytics.com https://googletagmanager.com https://*.googletagmanager.com https://*.analytics.google.com https://ssl.gstatic.com https://www.gstatic.com https://ade.googlesyndication.com https://www.facebook.com https://*.facebook.net https://*.doubleclick.net https://*.g.doubleclick.net https://eprel.ec.europa.eu https://gateway.zscloud.net https://*.googlesyndication.com https://*.teads.tv https://ads-engagement.presage.io https://alb.reddit.com https://scripts.psyma.com https://*.akstat.io https://mdp-api-bentley.they-code.de https://res.cloudinary.com https://*.adobeaemcloud.com https://fonts.gstatic.com https://*.seznam.cz https://www.googleadservices.com;\n form-action 'none';\n report-to ;","directives":{"connect-src":["'self'","https://*.adobeaemcloud.com","https://*.akamaihd.net","https://*.akstat.io","https://*.amazon-adsystem.com","https://*.analytics.google.com","https://*.avp.tech","https://*.baidu.com","https://*.bentley-motors.co.uk","https://*.bentleymotors.com","https://*.doubleclick.net","https://*.fullstory.com","https://*.g.doubleclick.net","https://*.go-mpulse.net","https://*.google-analytics.com","https://*.google.com","https://*.google.de","https://*.googlesyndication.com","https://*.googletagmanager.com","https://*.kinesisvideo.eu-west-1.amazonaws.com","https://*.seznam.cz","https://*.snapchat.com","https://*.teads.tv","https://*.uplynk.com","https://*.usercentrics.eu","https://analytics-ipv6.tiktokw.us","https://analytics.tiktok.com","https://api.friendlycaptcha.com","https://api.mtkconnect.io","https://ara.paa-reporting-advertising.amazon","https://conversions-config.reddit.com","https://ct.pinterest.com","https://kinesisvideo.eu-west-1.amazonaws.com","https://maps.googleapis.com","https://pixel-config.reddit.com","https://px.ads.linkedin.com","https://s.pinimg.com","https://www.facebook.com","https://www.google.com","https://www.googleadservices.com","https://www.redditstatic.com","wss://*.avp.tech","wss://*.kinesisvideo.eu-west-1.amazonaws.com"],"default-src":["'self'","https://gateway.zscloud.net"],"font-src":["'self'","https://fonts.gstatic.com"],"form-action":["'none'"],"frame-src":["'self'","https://*.amazon-adsystem.com","https://*.avp.tech","https://*.doubleclick.net","https://*.frcapi.com","https://*.g.doubleclick.net","https://*.snapchat.com","https://ct.pinterest.com","https://fledge.teads.tv","https://gateway.zscloud.net","https://grp.volkswagenag.com","https://www.googletagmanager.com","https://www.youtube.com"],"img-src":["'self'","data:","https://*.adobeaemcloud.com","https://*.akstat.io","https://*.analytics.google.com","https://*.baidu.com","https://*.bentleymotors.com","https://*.doubleclick.net","https://*.facebook.net","https://*.g.doubleclick.net","https://*.google-analytics.com","https://*.googlesyndication.com","https://*.googletagmanager.com","https://*.seznam.cz","https://*.teads.tv","https://*.usercentrics.eu","https://ade.googlesyndication.com","https://ads-engagement.presage.io","https://alb.reddit.com","https://analytics.twitter.com","https://bentley-webref.they-code.de","https://eprel.ec.europa.eu","https://fonts.gstatic.com","https://gateway.zscloud.net","https://googletagmanager.com","https://maps.googleapis.com","https://maps.gstatic.com","https://mdp-api-bentley.they-code.de","https://px.ads.linkedin.com","https://res.cloudinary.com","https://scripts.psyma.com","https://ssl.gstatic.com","https://t.co","https://www.bentleymotors.com","https://www.facebook.com","https://www.google-analytics.com","https://www.google.com","https://www.google.de","https://www.googleadservices.com","https://www.gstatic.com"],"media-src":["'self'","blob:","https://*.adobeaemcloud.com","https://*.uplynk.com","https://delivery-p153381-e1601885.adobeaemcloud.com"],"object-src":["'self'"],"report-to":[],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'","blob:","http://*.addthis.com","https://*.baidu.com","https://*.doubleclick.net","https://*.fullstory.com","https://*.fullstory.com","https://*.go-mpulse.net","https://*.googletagmanager.com","https://*.seznam.cz","https://*.snapchat.com","https://ads-engagement.presage.io","https://analytics.tiktok.com","https://app.usercentrics.eu","https://c.amazon-adsystem.com","https://connect.facebook.net","https://ct.pinterest.com","https://gateway.zscloud.net","https://googletagmanager.com","https://maps.googleapis.com","https://p.teads.tv","https://s.pinimg.com","https://s2.adform.net","https://sc-static.net","https://scripts.psyma.com","https://snap.licdn.com","https://ssl.google-analytics.com","https://static.ads-twitter.com","https://tagmanager.google.com","https://track.adform.net","https://www.google-analytics.com","https://www.google.com","https://www.googleadservices.com","https://www.googletagmanager.com","https://www.redditstatic.com"],"style-src":["'self'","'unsafe-inline'","blob:","https://fonts.googleapis.com","https://gateway.zscloud.net","https://googletagmanager.com","https://tagmanager.google.com","https://www.googletagmanager.com"]},"directiveOrder":["default-src","object-src","script-src","style-src","font-src","connect-src","frame-src","media-src","img-src","form-action","report-to"],"disposition":"enforce","delivery":"meta","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","blob:":"scheme-source","data:":"scheme-source","http://*.addthis.com":"host-source","https://*.adobeaemcloud.com":"host-source","https://*.akamaihd.net":"host-source","https://*.akstat.io":"host-source","https://*.amazon-adsystem.com":"host-source","https://*.analytics.google.com":"host-source","https://*.avp.tech":"host-source","https://*.baidu.com":"host-source","https://*.bentley-motors.co.uk":"host-source","https://*.bentleymotors.com":"host-source","https://*.doubleclick.net":"host-source","https://*.facebook.net":"host-source","https://*.frcapi.com":"host-source","https://*.fullstory.com":"host-source","https://*.g.doubleclick.net":"host-source","https://*.go-mpulse.net":"host-source","https://*.google-analytics.com":"host-source","https://*.google.com":"host-source","https://*.google.de":"host-source","https://*.googlesyndication.com":"host-source","https://*.googletagmanager.com":"host-source","https://*.kinesisvideo.eu-west-1.amazonaws.com":"host-source","https://*.seznam.cz":"host-source","https://*.snapchat.com":"host-source","https://*.teads.tv":"host-source","https://*.uplynk.com":"host-source","https://*.usercentrics.eu":"host-source","https://ade.googlesyndication.com":"host-source","https://ads-engagement.presage.io":"host-source","https://alb.reddit.com":"host-source","https://analytics-ipv6.tiktokw.us":"host-source","https://analytics.tiktok.com":"host-source","https://analytics.twitter.com":"host-source","https://api.friendlycaptcha.com":"host-source","https://api.mtkconnect.io":"host-source","https://app.usercentrics.eu":"host-source","https://ara.paa-reporting-advertising.amazon":"host-source","https://bentley-webref.they-code.de":"host-source","https://c.amazon-adsystem.com":"host-source","https://connect.facebook.net":"host-source","https://conversions-config.reddit.com":"host-source","https://ct.pinterest.com":"host-source","https://delivery-p153381-e1601885.adobeaemcloud.com":"host-source","https://eprel.ec.europa.eu":"host-source","https://fledge.teads.tv":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://gateway.zscloud.net":"host-source","https://googletagmanager.com":"host-source","https://grp.volkswagenag.com":"host-source","https://kinesisvideo.eu-west-1.amazonaws.com":"host-source","https://maps.googleapis.com":"host-source","https://maps.gstatic.com":"host-source","https://mdp-api-bentley.they-code.de":"host-source","https://p.teads.tv":"host-source","https://pixel-config.reddit.com":"host-source","https://px.ads.linkedin.com":"host-source","https://res.cloudinary.com":"host-source","https://s.pinimg.com":"host-source","https://s2.adform.net":"host-source","https://sc-static.net":"host-source","https://scripts.psyma.com":"host-source","https://snap.licdn.com":"host-source","https://ssl.google-analytics.com":"host-source","https://ssl.gstatic.com":"host-source","https://static.ads-twitter.com":"host-source","https://t.co":"host-source","https://tagmanager.google.com":"host-source","https://track.adform.net":"host-source","https://www.bentleymotors.com":"host-source","https://www.facebook.com":"host-source","https://www.google-analytics.com":"host-source","https://www.google.com":"host-source","https://www.google.de":"host-source","https://www.googleadservices.com":"host-source","https://www.googletagmanager.com":"host-source","https://www.gstatic.com":"host-source","https://www.redditstatic.com":"host-source","https://www.youtube.com":"host-source","wss://*.avp.tech":"host-source","wss://*.kinesisvideo.eu-west-1.amazonaws.com":"host-source"}},"disposition":"enforce","source":"meta","policies":["default-src 'self' https://gateway.zscloud.net; script-src 'self' 'unsafe-eval' 'unsafe-inline' blob: http://*.addthis.com https://*.baidu.com https://*.doubleclick.net https://*.fullstory.com https://*.go-mpulse.net https://*.googletagmanager.com https://*.seznam.cz https://*.snapchat.com https://ads-engagement.presage.io https://analytics.tiktok.com https://app.usercentrics.eu https://c.amazon-adsystem.com https://connect.facebook.net https://ct.pinterest.com https://gateway.zscloud.net https://googletagmanager.com https://maps.googleapis.com https://p.teads.tv https://s.pinimg.com https://s2.adform.net https://sc-static.net https://scripts.psyma.com https://snap.licdn.com https://ssl.google-analytics.com https://static.ads-twitter.com https://tagmanager.google.com https://track.adform.net https://www.google-analytics.com https://www.google.com https://www.googleadservices.com https://www.googletagmanager.com https://www.redditstatic.com; style-src 'self' 'unsafe-inline' blob: https://fonts.googleapis.com https://gateway.zscloud.net https://googletagmanager.com https://tagmanager.google.com https://www.googletagmanager.com; object-src 'self'; connect-src 'self' https://*.adobeaemcloud.com https://*.akamaihd.net https://*.akstat.io https://*.amazon-adsystem.com https://*.analytics.google.com https://*.avp.tech https://*.baidu.com https://*.bentley-motors.co.uk https://*.bentleymotors.com https://*.doubleclick.net https://*.fullstory.com https://*.g.doubleclick.net https://*.go-mpulse.net https://*.google-analytics.com https://*.google.com https://*.google.de https://*.googlesyndication.com https://*.googletagmanager.com https://*.kinesisvideo.eu-west-1.amazonaws.com https://*.seznam.cz https://*.snapchat.com https://*.teads.tv https://*.uplynk.com https://*.usercentrics.eu https://analytics-ipv6.tiktokw.us https://analytics.tiktok.com https://api.friendlycaptcha.com https://api.mtkconnect.io https://ara.paa-reporting-advertising.amazon https://conversions-config.reddit.com https://ct.pinterest.com https://kinesisvideo.eu-west-1.amazonaws.com https://maps.googleapis.com https://pixel-config.reddit.com https://px.ads.linkedin.com https://s.pinimg.com https://www.facebook.com https://www.google.com https://www.googleadservices.com https://www.redditstatic.com wss://*.avp.tech wss://*.kinesisvideo.eu-west-1.amazonaws.com; font-src 'self' https://fonts.gstatic.com; form-action 'none'; frame-src 'self' https://*.amazon-adsystem.com https://*.avp.tech https://*.doubleclick.net https://*.frcapi.com https://*.g.doubleclick.net https://*.snapchat.com https://ct.pinterest.com https://fledge.teads.tv https://gateway.zscloud.net https://grp.volkswagenag.com https://www.googletagmanager.com https://www.youtube.com; img-src 'self' data: https://*.adobeaemcloud.com https://*.akstat.io https://*.analytics.google.com https://*.baidu.com https://*.bentleymotors.com https://*.doubleclick.net https://*.facebook.net https://*.g.doubleclick.net https://*.google-analytics.com https://*.googlesyndication.com https://*.googletagmanager.com https://*.seznam.cz https://*.teads.tv https://*.usercentrics.eu https://ade.googlesyndication.com https://ads-engagement.presage.io https://alb.reddit.com https://analytics.twitter.com https://bentley-webref.they-code.de https://eprel.ec.europa.eu https://fonts.gstatic.com https://gateway.zscloud.net https://googletagmanager.com https://maps.googleapis.com https://maps.gstatic.com https://mdp-api-bentley.they-code.de https://px.ads.linkedin.com https://res.cloudinary.com https://scripts.psyma.com https://ssl.gstatic.com https://t.co https://www.bentleymotors.com https://www.facebook.com https://www.google-analytics.com https://www.google.com https://www.google.de https://www.googleadservices.com https://www.gstatic.com; media-src 'self' blob: https://*.adobeaemcloud.com https://*.uplynk.com https://delivery-p153381-e1601885.adobeaemcloud.com; report-to ;"],"stats":{"totalHigh":1,"totalMedium":35,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://googletagmanager.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://connect.facebook.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"http://*.addthis.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.baidu.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.doubleclick.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.fullstory.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.go-mpulse.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.googletagmanager.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.seznam.cz","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.snapchat.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://ads-engagement.presage.io","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://analytics.tiktok.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://app.usercentrics.eu","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://c.amazon-adsystem.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Non-encrypted loading of external assets (http: / ws:)","severity":"MEDIUM","directive":"script-src","source":"http://*.addthis.com","message":"Allowing content over insecure channels can allow allow snooping and tampering of data","recommendation":"Ensure that all content is loaded over secure channels. Remove http: and ws:","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://ct.pinterest.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.redditstatic.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://gateway.zscloud.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://s2.adform.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://p.teads.tv","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://s.pinimg.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://maps.googleapis.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://sc-static.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://scripts.psyma.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://snap.licdn.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://ssl.google-analytics.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://static.ads-twitter.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://tagmanager.google.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://track.adform.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.google-analytics.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.google.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.googleadservices.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.googletagmanager.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Length of sources is zero","severity":"LOW","directive":"report-to","source":"","message":"Most directives require a source to work.","recommendation":"Either remove the directive or add valid sources.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a55777e9b3483eecbc3689a","ts":"2026-07-13T23:40:46.746Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://en.wikipedia.org","isHidden":false,"parsedPolicy":{"policy":"script-src 'unsafe-eval' blob: 'self' meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikifunctions.org *.wikivoyage.org *.mediawiki.org mediawiki.org wikimedia.org *.wmflabs.org *.wmcloud.org *.toolforge.org wss://*.toolforge.org *.jsdelivr.net unpkg.com cdnjs.cloudflare.com raw.githubusercontent.com *.github.com code.jquery.com cdn.mathjax.org use.typekit.net fonts.cdnfonts.com use.fontawesome.com i.ytimg.com rsms.me doi.org localhost https://localhost:* http://localhost:* wss://localhost:* ws://localhost:* *.google.com *.gstatic.com *.googleapis.com *.translate.yandex.net yastatic.net ya.ru radically.github.io cdn.sammdot.ca cdn.fontshare.com viaf.org publicai-proxy.alaexis.workers.dev iiif.archive.org api.flickr.com live.staticflickr.com api.anthropic.com api.openai.com api.publicai.co catalogo.pusc.it parsifal.urbe.it opac.sbn.it overpass-api.de api.openrouteservice.org archive.org *.openstreetmap.org *.waymarkedtrails.org *.thunderforest.com registry.ipe.wiki analytics.ipe.wiki qlever.dev app.goacoustic.com wikipedia-archive.ourworldindata.org api.inaturalist.org inaturalist-open-data.s3.amazonaws.com validator.w3.org db.onlinewebfonts.com fontlibrary.org 'unsafe-inline' auth.wikimedia.org; default-src 'self' data: blob: upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikifunctions.org *.wikivoyage.org *.mediawiki.org mediawiki.org wikimedia.org *.wmflabs.org *.wmcloud.org *.toolforge.org wss://*.toolforge.org *.jsdelivr.net unpkg.com cdnjs.cloudflare.com raw.githubusercontent.com *.github.com code.jquery.com cdn.mathjax.org use.typekit.net fonts.cdnfonts.com use.fontawesome.com i.ytimg.com rsms.me doi.org localhost https://localhost:* http://localhost:* wss://localhost:* ws://localhost:* *.google.com *.gstatic.com *.googleapis.com *.translate.yandex.net yastatic.net ya.ru radically.github.io cdn.sammdot.ca cdn.fontshare.com viaf.org publicai-proxy.alaexis.workers.dev iiif.archive.org api.flickr.com live.staticflickr.com api.anthropic.com api.openai.com api.publicai.co catalogo.pusc.it parsifal.urbe.it opac.sbn.it overpass-api.de api.openrouteservice.org archive.org *.openstreetmap.org *.waymarkedtrails.org *.thunderforest.com registry.ipe.wiki analytics.ipe.wiki qlever.dev app.goacoustic.com wikipedia-archive.ourworldindata.org api.inaturalist.org inaturalist-open-data.s3.amazonaws.com validator.w3.org db.onlinewebfonts.com fontlibrary.org en.wikibooks.org en.wikinews.org en.wikiquote.org en.wikisource.org en.wikiversity.org en.wikivoyage.org en.wiktionary.org www.mediawiki.org commons.wikimedia.org foundation.wikimedia.org incubator.wikimedia.org species.wikimedia.org wikimania.wikimedia.org www.wikidata.org www.wikifunctions.org auth.wikimedia.org; style-src 'self' data: blob: upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikifunctions.org *.wikivoyage.org *.mediawiki.org mediawiki.org wikimedia.org *.wmflabs.org *.wmcloud.org *.toolforge.org wss://*.toolforge.org *.jsdelivr.net unpkg.com cdnjs.cloudflare.com raw.githubusercontent.com *.github.com code.jquery.com cdn.mathjax.org use.typekit.net fonts.cdnfonts.com use.fontawesome.com i.ytimg.com rsms.me doi.org localhost https://localhost:* http://localhost:* wss://localhost:* ws://localhost:* *.google.com *.gstatic.com *.googleapis.com *.translate.yandex.net yastatic.net ya.ru radically.github.io cdn.sammdot.ca cdn.fontshare.com viaf.org publicai-proxy.alaexis.workers.dev iiif.archive.org api.flickr.com live.staticflickr.com api.anthropic.com api.openai.com api.publicai.co catalogo.pusc.it parsifal.urbe.it opac.sbn.it overpass-api.de api.openrouteservice.org archive.org *.openstreetmap.org *.waymarkedtrails.org *.thunderforest.com registry.ipe.wiki analytics.ipe.wiki qlever.dev app.goacoustic.com wikipedia-archive.ourworldindata.org api.inaturalist.org inaturalist-open-data.s3.amazonaws.com validator.w3.org db.onlinewebfonts.com fontlibrary.org 'unsafe-inline'; object-src 'none'; report-uri /w/api.php?action=cspreport\u0026format=json; report-to csp-report-to-endpoint","directives":{"default-src":["'self'","*.github.com","*.google.com","*.googleapis.com","*.gstatic.com","*.jsdelivr.net","*.mediawiki.org","*.openstreetmap.org","*.thunderforest.com","*.toolforge.org","*.translate.yandex.net","*.waymarkedtrails.org","*.wikibooks.org","*.wikidata.org","*.wikifunctions.org","*.wikimedia.org","*.wikinews.org","*.wikipedia.org","*.wikiquote.org","*.wikisource.org","*.wikiversity.org","*.wikivoyage.org","*.wiktionary.org","*.wmcloud.org","*.wmflabs.org","analytics.ipe.wiki","api.anthropic.com","api.flickr.com","api.inaturalist.org","api.openai.com","api.openrouteservice.org","api.publicai.co","app.goacoustic.com","archive.org","auth.wikimedia.org","blob:","catalogo.pusc.it","cdn.fontshare.com","cdn.mathjax.org","cdn.sammdot.ca","cdnjs.cloudflare.com","code.jquery.com","commons.wikimedia.org","data:","db.onlinewebfonts.com","doi.org","en.wikibooks.org","en.wikinews.org","en.wikiquote.org","en.wikisource.org","en.wikiversity.org","en.wikivoyage.org","en.wiktionary.org","fontlibrary.org","fonts.cdnfonts.com","foundation.wikimedia.org","http://localhost:*","https://commons.wikimedia.org","https://localhost:*","i.ytimg.com","iiif.archive.org","inaturalist-open-data.s3.amazonaws.com","incubator.wikimedia.org","live.staticflickr.com","localhost","mediawiki.org","meta.wikimedia.org","opac.sbn.it","overpass-api.de","parsifal.urbe.it","publicai-proxy.alaexis.workers.dev","qlever.dev","radically.github.io","raw.githubusercontent.com","registry.ipe.wiki","rsms.me","species.wikimedia.org","unpkg.com","upload.wikimedia.org","use.fontawesome.com","use.typekit.net","validator.w3.org","viaf.org","wikimania.wikimedia.org","wikimedia.org","wikipedia-archive.ourworldindata.org","wikisource.org","ws://localhost:*","wss://*.toolforge.org","wss://localhost:*","www.mediawiki.org","www.wikidata.org","www.wikifunctions.org","ya.ru","yastatic.net"],"object-src":["'none'"],"report-to":["csp-report-to-endpoint"],"report-uri":["/w/api.php?action=cspreport\u0026format=json"],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'","*.github.com","*.google.com","*.googleapis.com","*.gstatic.com","*.jsdelivr.net","*.mediawiki.org","*.openstreetmap.org","*.thunderforest.com","*.toolforge.org","*.translate.yandex.net","*.waymarkedtrails.org","*.wikibooks.org","*.wikidata.org","*.wikifunctions.org","*.wikimedia.org","*.wikinews.org","*.wikipedia.org","*.wikiquote.org","*.wikisource.org","*.wikiversity.org","*.wikivoyage.org","*.wiktionary.org","*.wmcloud.org","*.wmflabs.org","analytics.ipe.wiki","api.anthropic.com","api.flickr.com","api.inaturalist.org","api.openai.com","api.openrouteservice.org","api.publicai.co","app.goacoustic.com","archive.org","auth.wikimedia.org","blob:","catalogo.pusc.it","cdn.fontshare.com","cdn.mathjax.org","cdn.sammdot.ca","cdnjs.cloudflare.com","code.jquery.com","db.onlinewebfonts.com","doi.org","fontlibrary.org","fonts.cdnfonts.com","http://localhost:*","https://localhost:*","i.ytimg.com","iiif.archive.org","inaturalist-open-data.s3.amazonaws.com","live.staticflickr.com","localhost","mediawiki.org","meta.wikimedia.org","opac.sbn.it","overpass-api.de","parsifal.urbe.it","publicai-proxy.alaexis.workers.dev","qlever.dev","radically.github.io","raw.githubusercontent.com","registry.ipe.wiki","rsms.me","unpkg.com","use.fontawesome.com","use.typekit.net","validator.w3.org","viaf.org","wikimedia.org","wikipedia-archive.ourworldindata.org","wikisource.org","ws://localhost:*","wss://*.toolforge.org","wss://localhost:*","ya.ru","yastatic.net"],"style-src":["'self'","'unsafe-inline'","*.github.com","*.google.com","*.googleapis.com","*.gstatic.com","*.jsdelivr.net","*.mediawiki.org","*.openstreetmap.org","*.thunderforest.com","*.toolforge.org","*.translate.yandex.net","*.waymarkedtrails.org","*.wikibooks.org","*.wikidata.org","*.wikifunctions.org","*.wikimedia.org","*.wikinews.org","*.wikipedia.org","*.wikiquote.org","*.wikisource.org","*.wikiversity.org","*.wikivoyage.org","*.wiktionary.org","*.wmcloud.org","*.wmflabs.org","analytics.ipe.wiki","api.anthropic.com","api.flickr.com","api.inaturalist.org","api.openai.com","api.openrouteservice.org","api.publicai.co","app.goacoustic.com","archive.org","blob:","catalogo.pusc.it","cdn.fontshare.com","cdn.mathjax.org","cdn.sammdot.ca","cdnjs.cloudflare.com","code.jquery.com","data:","db.onlinewebfonts.com","doi.org","fontlibrary.org","fonts.cdnfonts.com","http://localhost:*","https://commons.wikimedia.org","https://localhost:*","i.ytimg.com","iiif.archive.org","inaturalist-open-data.s3.amazonaws.com","live.staticflickr.com","localhost","mediawiki.org","meta.wikimedia.org","opac.sbn.it","overpass-api.de","parsifal.urbe.it","publicai-proxy.alaexis.workers.dev","qlever.dev","radically.github.io","raw.githubusercontent.com","registry.ipe.wiki","rsms.me","unpkg.com","upload.wikimedia.org","use.fontawesome.com","use.typekit.net","validator.w3.org","viaf.org","wikimedia.org","wikipedia-archive.ourworldindata.org","wikisource.org","ws://localhost:*","wss://*.toolforge.org","wss://localhost:*","ya.ru","yastatic.net"]},"directiveOrder":["script-src","default-src","style-src","object-src","report-uri","report-to"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","*.github.com":"host-source","*.google.com":"host-source","*.googleapis.com":"host-source","*.gstatic.com":"host-source","*.jsdelivr.net":"host-source","*.mediawiki.org":"host-source","*.openstreetmap.org":"host-source","*.thunderforest.com":"host-source","*.toolforge.org":"host-source","*.translate.yandex.net":"host-source","*.waymarkedtrails.org":"host-source","*.wikibooks.org":"host-source","*.wikidata.org":"host-source","*.wikifunctions.org":"host-source","*.wikimedia.org":"host-source","*.wikinews.org":"host-source","*.wikipedia.org":"host-source","*.wikiquote.org":"host-source","*.wikisource.org":"host-source","*.wikiversity.org":"host-source","*.wikivoyage.org":"host-source","*.wiktionary.org":"host-source","*.wmcloud.org":"host-source","*.wmflabs.org":"host-source","/w/api.php?action=cspreport\u0026format=json":"","analytics.ipe.wiki":"host-source","api.anthropic.com":"host-source","api.flickr.com":"host-source","api.inaturalist.org":"host-source","api.openai.com":"host-source","api.openrouteservice.org":"host-source","api.publicai.co":"host-source","app.goacoustic.com":"host-source","archive.org":"host-source","auth.wikimedia.org":"host-source","blob:":"scheme-source","catalogo.pusc.it":"host-source","cdn.fontshare.com":"host-source","cdn.mathjax.org":"host-source","cdn.sammdot.ca":"host-source","cdnjs.cloudflare.com":"host-source","code.jquery.com":"host-source","commons.wikimedia.org":"host-source","csp-report-to-endpoint":"host-source","data:":"scheme-source","db.onlinewebfonts.com":"host-source","doi.org":"host-source","en.wikibooks.org":"host-source","en.wikinews.org":"host-source","en.wikiquote.org":"host-source","en.wikisource.org":"host-source","en.wikiversity.org":"host-source","en.wikivoyage.org":"host-source","en.wiktionary.org":"host-source","fontlibrary.org":"host-source","fonts.cdnfonts.com":"host-source","foundation.wikimedia.org":"host-source","http://localhost:*":"host-source","https://commons.wikimedia.org":"host-source","https://localhost:*":"host-source","i.ytimg.com":"host-source","iiif.archive.org":"host-source","inaturalist-open-data.s3.amazonaws.com":"host-source","incubator.wikimedia.org":"host-source","live.staticflickr.com":"host-source","localhost":"host-source","mediawiki.org":"host-source","meta.wikimedia.org":"host-source","opac.sbn.it":"host-source","overpass-api.de":"host-source","parsifal.urbe.it":"host-source","publicai-proxy.alaexis.workers.dev":"host-source","qlever.dev":"host-source","radically.github.io":"host-source","raw.githubusercontent.com":"host-source","registry.ipe.wiki":"host-source","rsms.me":"host-source","species.wikimedia.org":"host-source","unpkg.com":"host-source","upload.wikimedia.org":"host-source","use.fontawesome.com":"host-source","use.typekit.net":"host-source","validator.w3.org":"host-source","viaf.org":"host-source","wikimania.wikimedia.org":"host-source","wikimedia.org":"host-source","wikipedia-archive.ourworldindata.org":"host-source","wikisource.org":"host-source","ws://localhost:*":"host-source","wss://*.toolforge.org":"host-source","wss://localhost:*":"host-source","www.mediawiki.org":"host-source","www.wikidata.org":"host-source","www.wikifunctions.org":"host-source","ya.ru":"host-source","yastatic.net":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self' *.github.com *.google.com *.googleapis.com *.gstatic.com *.jsdelivr.net *.mediawiki.org *.openstreetmap.org *.thunderforest.com *.toolforge.org *.translate.yandex.net *.waymarkedtrails.org *.wikibooks.org *.wikidata.org *.wikifunctions.org *.wikimedia.org *.wikinews.org *.wikipedia.org *.wikiquote.org *.wikisource.org *.wikiversity.org *.wikivoyage.org *.wiktionary.org *.wmcloud.org *.wmflabs.org analytics.ipe.wiki api.anthropic.com api.flickr.com api.inaturalist.org api.openai.com api.openrouteservice.org api.publicai.co app.goacoustic.com archive.org auth.wikimedia.org blob: catalogo.pusc.it cdn.fontshare.com cdn.mathjax.org cdn.sammdot.ca cdnjs.cloudflare.com code.jquery.com commons.wikimedia.org data: db.onlinewebfonts.com doi.org en.wikibooks.org en.wikinews.org en.wikiquote.org en.wikisource.org en.wikiversity.org en.wikivoyage.org en.wiktionary.org fontlibrary.org fonts.cdnfonts.com foundation.wikimedia.org http://localhost:* https://commons.wikimedia.org https://localhost:* i.ytimg.com iiif.archive.org inaturalist-open-data.s3.amazonaws.com incubator.wikimedia.org live.staticflickr.com localhost mediawiki.org meta.wikimedia.org opac.sbn.it overpass-api.de parsifal.urbe.it publicai-proxy.alaexis.workers.dev qlever.dev radically.github.io raw.githubusercontent.com registry.ipe.wiki rsms.me species.wikimedia.org unpkg.com upload.wikimedia.org use.fontawesome.com use.typekit.net validator.w3.org viaf.org wikimania.wikimedia.org wikimedia.org wikipedia-archive.ourworldindata.org wikisource.org ws://localhost:* wss://*.toolforge.org wss://localhost:* www.mediawiki.org www.wikidata.org www.wikifunctions.org ya.ru yastatic.net; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.github.com *.google.com *.googleapis.com *.gstatic.com *.jsdelivr.net *.mediawiki.org *.openstreetmap.org *.thunderforest.com *.toolforge.org *.translate.yandex.net *.waymarkedtrails.org *.wikibooks.org *.wikidata.org *.wikifunctions.org *.wikimedia.org *.wikinews.org *.wikipedia.org *.wikiquote.org *.wikisource.org *.wikiversity.org *.wikivoyage.org *.wiktionary.org *.wmcloud.org *.wmflabs.org analytics.ipe.wiki api.anthropic.com api.flickr.com api.inaturalist.org api.openai.com api.openrouteservice.org api.publicai.co app.goacoustic.com archive.org auth.wikimedia.org blob: catalogo.pusc.it cdn.fontshare.com cdn.mathjax.org cdn.sammdot.ca cdnjs.cloudflare.com code.jquery.com db.onlinewebfonts.com doi.org fontlibrary.org fonts.cdnfonts.com http://localhost:* https://localhost:* i.ytimg.com iiif.archive.org inaturalist-open-data.s3.amazonaws.com live.staticflickr.com localhost mediawiki.org meta.wikimedia.org opac.sbn.it overpass-api.de parsifal.urbe.it publicai-proxy.alaexis.workers.dev qlever.dev radically.github.io raw.githubusercontent.com registry.ipe.wiki rsms.me unpkg.com use.fontawesome.com use.typekit.net validator.w3.org viaf.org wikimedia.org wikipedia-archive.ourworldindata.org wikisource.org ws://localhost:* wss://*.toolforge.org wss://localhost:* ya.ru yastatic.net; style-src 'self' 'unsafe-inline' *.github.com *.google.com *.googleapis.com *.gstatic.com *.jsdelivr.net *.mediawiki.org *.openstreetmap.org *.thunderforest.com *.toolforge.org *.translate.yandex.net *.waymarkedtrails.org *.wikibooks.org *.wikidata.org *.wikifunctions.org *.wikimedia.org *.wikinews.org *.wikipedia.org *.wikiquote.org *.wikisource.org *.wikiversity.org *.wikivoyage.org *.wiktionary.org *.wmcloud.org *.wmflabs.org analytics.ipe.wiki api.anthropic.com api.flickr.com api.inaturalist.org api.openai.com api.openrouteservice.org api.publicai.co app.goacoustic.com archive.org blob: catalogo.pusc.it cdn.fontshare.com cdn.mathjax.org cdn.sammdot.ca cdnjs.cloudflare.com code.jquery.com data: db.onlinewebfonts.com doi.org fontlibrary.org fonts.cdnfonts.com http://localhost:* https://commons.wikimedia.org https://localhost:* i.ytimg.com iiif.archive.org inaturalist-open-data.s3.amazonaws.com live.staticflickr.com localhost mediawiki.org meta.wikimedia.org opac.sbn.it overpass-api.de parsifal.urbe.it publicai-proxy.alaexis.workers.dev qlever.dev radically.github.io raw.githubusercontent.com registry.ipe.wiki rsms.me unpkg.com upload.wikimedia.org use.fontawesome.com use.typekit.net validator.w3.org viaf.org wikimedia.org wikipedia-archive.ourworldindata.org wikisource.org ws://localhost:* wss://*.toolforge.org wss://localhost:* ya.ru yastatic.net; object-src 'none'; report-to csp-report-to-endpoint; report-uri /w/api.php?action=cspreport\u0026format=json;"],"stats":{"totalHigh":2,"totalMedium":112,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of permissive scheme-source in sensitive directive","severity":"HIGH","directive":"default-src","source":"data:","message":"Using an unsafe scheme/source in a sensitive directive bypasses the primary benefit of CSP.","recommendation":"Remove the unsafe source/scheme","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.github.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.google.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.googleapis.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.gstatic.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.jsdelivr.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.mediawiki.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.openstreetmap.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.thunderforest.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.toolforge.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.translate.yandex.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.waymarkedtrails.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.wikibooks.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.wikidata.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.wikifunctions.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.wikimedia.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.wikinews.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.wikipedia.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.wikiquote.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.wikisource.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.wikiversity.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.wikivoyage.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.wiktionary.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.wmcloud.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.wmflabs.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"http://localhost:*","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://localhost:*","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"ws://localhost:*","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"wss://*.toolforge.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"wss://localhost:*","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.github.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.google.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.googleapis.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.gstatic.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.jsdelivr.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.mediawiki.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.openstreetmap.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.thunderforest.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.toolforge.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.translate.yandex.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.waymarkedtrails.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.wikibooks.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.wikidata.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.wikifunctions.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.wikimedia.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.wikinews.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.wikipedia.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.wikiquote.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.wikisource.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.wikiversity.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.wikivoyage.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.wiktionary.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.wmcloud.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.wmflabs.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"http://localhost:*","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"https://localhost:*","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"ws://localhost:*","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"wss://*.toolforge.org","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"wss://localhost:*","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"analytics.ipe.wiki","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"api.anthropic.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"api.flickr.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"api.inaturalist.org","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"api.openai.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"api.openrouteservice.org","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"api.publicai.co","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"app.goacoustic.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"archive.org","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"auth.wikimedia.org","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"catalogo.pusc.it","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"cdn.fontshare.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"cdn.mathjax.org","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"cdn.sammdot.ca","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"cdnjs.cloudflare.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"code.jquery.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"db.onlinewebfonts.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"doi.org","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"fontlibrary.org","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"fonts.cdnfonts.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"i.ytimg.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"iiif.archive.org","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"inaturalist-open-data.s3.amazonaws.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"live.staticflickr.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"localhost","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"mediawiki.org","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"meta.wikimedia.org","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"opac.sbn.it","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"overpass-api.de","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"parsifal.urbe.it","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"publicai-proxy.alaexis.workers.dev","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"qlever.dev","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"radically.github.io","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"raw.githubusercontent.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"registry.ipe.wiki","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"rsms.me","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"unpkg.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"use.fontawesome.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"use.typekit.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"validator.w3.org","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"viaf.org","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"wikimedia.org","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"wikipedia-archive.ourworldindata.org","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"wikisource.org","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"ya.ru","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"yastatic.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Non-encrypted loading of external assets (http: / ws:)","severity":"MEDIUM","directive":"default-src","source":"http://localhost:*","message":"Allowing content over insecure channels can allow allow snooping and tampering of data","recommendation":"Ensure that all content is loaded over secure channels. Remove http: and ws:","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Non-encrypted loading of external assets (http: / ws:)","severity":"MEDIUM","directive":"default-src","source":"ws://localhost:*","message":"Allowing content over insecure channels can allow allow snooping and tampering of data","recommendation":"Ensure that all content is loaded over secure channels. Remove http: and ws:","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Non-encrypted loading of external assets (http: / ws:)","severity":"MEDIUM","directive":"script-src","source":"http://localhost:*","message":"Allowing content over insecure channels can allow allow snooping and tampering of data","recommendation":"Ensure that all content is loaded over secure channels. Remove http: and ws:","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Non-encrypted loading of external assets (http: / ws:)","severity":"MEDIUM","directive":"script-src","source":"ws://localhost:*","message":"Allowing content over insecure channels can allow allow snooping and tampering of data","recommendation":"Ensure that all content is loaded over secure channels. Remove http: and ws:","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Non-encrypted loading of external assets (http: / ws:)","severity":"MEDIUM","directive":"style-src","source":"http://localhost:*","message":"Allowing content over insecure channels can allow allow snooping and tampering of data","recommendation":"Ensure that all content is loaded over secure channels. Remove http: and ws:","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Non-encrypted loading of external assets (http: / ws:)","severity":"MEDIUM","directive":"style-src","source":"ws://localhost:*","message":"Allowing content over insecure channels can allow allow snooping and tampering of data","recommendation":"Ensure that all content is loaded over secure channels. Remove http: and ws:","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a557347282f32c00d5a5f3f","ts":"2026-07-13T23:22:47.913Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://www.w3schools.com","isHidden":false,"parsedPolicy":{"policy":"frame-ancestors 'self' https://mycourses.w3schools.com https://pathfinder.w3schools.com;","directives":{"frame-ancestors":["'self'","https://mycourses.w3schools.com","https://pathfinder.w3schools.com"]},"directiveOrder":["frame-ancestors"],"disposition":"enforce","delivery":"header","sourceMapping":{"'self'":"keyword-source","https://mycourses.w3schools.com":"host-source","https://pathfinder.w3schools.com":"host-source"}},"disposition":"enforce","source":"header","policies":["frame-ancestors 'self' https://mycourses.w3schools.com https://pathfinder.w3schools.com;"],"stats":{"totalHigh":2,"totalMedium":2,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing script-src (no default src)","severity":"HIGH","directive":"script","source":"","message":"script-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set script-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a55571d9b3483eecbc3688f","ts":"2026-07-13T21:22:37.263Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://www.eporner.com/","isHidden":false,"parsedPolicy":{"policy":"upgrade-insecure-requests;","directives":{"upgrade-insecure-requests":[]},"directiveOrder":["upgrade-insecure-requests"],"disposition":"enforce","delivery":"header","sourceMapping":{}},"disposition":"enforce","source":"header","policies":["upgrade-insecure-requests ;"],"stats":{"totalHigh":2,"totalMedium":2,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing script-src (no default src)","severity":"HIGH","directive":"script","source":"","message":"script-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set script-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a5542ed282f32c00d5a5f3c","ts":"2026-07-13T19:56:29.857Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://stb.portraitvision.net/adm/pvi-admin?action=dashboard","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:","directives":{"default-src":["'self'"],"img-src":["'self'","data:"],"style-src":["'self'","'unsafe-inline'"]},"directiveOrder":["default-src","style-src","img-src"],"disposition":"enforce","delivery":"header","sourceMapping":{"'self'":"keyword-source","'unsafe-inline'":"keyword-source","data:":"scheme-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;"],"stats":{"totalHigh":0,"totalMedium":4,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Missing object-src (with non-restrictive default-src)","severity":"MEDIUM","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing script-src (with default-src)","severity":"MEDIUM","directive":"script-src","source":"","message":"script-src is a sensitive directive that may allow XSS (or similar) if missing. Right now it is falling back to default-src","recommendation":"Set script-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a55129b9b3483eecbc3688a","ts":"2026-07-13T16:30:19.287Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://www.galbraithgroup.com","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; form-action 'self' https://1e55cf80e33fe9dfb04fb5c9157e80.a7.environment.api.powerplatform.com; script-src 'self' 'nonce-HWNVh/r/FLzft3KPy26z/w==' 'strict-dynamic' 'unsafe-eval' https://www.googletagmanager.com https://www.google-analytics.com https://analytics.google.com https://www.google.com https://www.gstatic.com https://ssl.gstatic.com https://consent.cookiebot.com https://consentcdn.cookiebot.com https://maps.gstatic.com https://maps.googleapis.com https://mapsresources-pa.googleapis.com https://*.dotdigital.com https://*.dotdigital-email.com https://*.dotdigitalusercontent.com https://*.dotdigital-pages.com https://trackedlink.net https://r1-t.trackedlink.net https://r1.trackedweb.net https://updates.galbraithgroup.com ; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https://i.vimeocdn.com https://*.vimeocdn.com https://image.isu.pub https://maps.gstatic.com https://maps.googleapis.com https://mapsresources-pa.googleapis.com https://places.googleapis.com https://*.spotifycdn.com/ https://www.google-analytics.com https://region1.google-analytics.com https://www.googletagmanager.com https://www.google.co.uk https://raw.githubusercontent.com/sandyk-w/staticfiles/main/mapPinDarkBlue.png https://www.google.co.uk/ads/ga-audiences ; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://www.google-analytics.com https://region1.google-analytics.com https://region1.analytics.google.com https://www.googletagmanager.com https://stats.g.doubleclick.net/g/collect https://consent.cookiebot.com https://consentcdn.cookiebot.com https://vimeo.com https://maps.gstatic.com https://maps.googleapis.com https://mapsresources-pa.googleapis.com https://places.googleapis.com https://r1.trackedweb.net https://*.dotdigital.com https://*.dotdigital-email.com https://*.dotdigitalusercontent.com https://*.dotdigital-pages.com https://www.google.com/ccm/collect https://ad.doubleclick.net/ccm/s/collect https://open.spotify.com ; frame-src 'self' https://player.vimeo.com https://*.vimeocdn.com https://my.matterport.com https://*.matterport.com https://www.youtube.com https://www.youtube-nocookie.com https://consentcdn.cookiebot.com https://open.spotify.com https://kuula.co","directives":{"base-uri":["'self'"],"connect-src":["'self'","https://*.dotdigital-email.com","https://*.dotdigital-pages.com","https://*.dotdigital.com","https://*.dotdigitalusercontent.com","https://ad.doubleclick.net/ccm/s/collect","https://consent.cookiebot.com","https://consentcdn.cookiebot.com","https://maps.googleapis.com","https://maps.gstatic.com","https://mapsresources-pa.googleapis.com","https://open.spotify.com","https://places.googleapis.com","https://r1.trackedweb.net","https://region1.analytics.google.com","https://region1.google-analytics.com","https://stats.g.doubleclick.net/g/collect","https://vimeo.com","https://www.google-analytics.com","https://www.google.com/ccm/collect","https://www.googletagmanager.com"],"default-src":["'self'"],"font-src":["'self'","https://fonts.gstatic.com"],"form-action":["'self'","https://1e55cf80e33fe9dfb04fb5c9157e80.a7.environment.api.powerplatform.com"],"frame-ancestors":["'none'"],"frame-src":["'self'","https://*.matterport.com","https://*.vimeocdn.com","https://consentcdn.cookiebot.com","https://kuula.co","https://my.matterport.com","https://open.spotify.com","https://player.vimeo.com","https://www.youtube-nocookie.com","https://www.youtube.com"],"img-src":["'self'","data:","https://*.spotifycdn.com/","https://*.vimeocdn.com","https://i.vimeocdn.com","https://image.isu.pub","https://maps.googleapis.com","https://maps.gstatic.com","https://mapsresources-pa.googleapis.com","https://places.googleapis.com","https://raw.githubusercontent.com/sandyk-w/staticfiles/main/mapPinDarkBlue.png","https://region1.google-analytics.com","https://www.google-analytics.com","https://www.google.co.uk","https://www.google.co.uk/ads/ga-audiences","https://www.googletagmanager.com"],"object-src":["'none'"],"script-src":["'nonce-HWNVh/r/FLzft3KPy26z/w=='","'self'","'strict-dynamic'","'unsafe-eval'","https://*.dotdigital-email.com","https://*.dotdigital-pages.com","https://*.dotdigital.com","https://*.dotdigitalusercontent.com","https://analytics.google.com","https://consent.cookiebot.com","https://consentcdn.cookiebot.com","https://maps.googleapis.com","https://maps.gstatic.com","https://mapsresources-pa.googleapis.com","https://r1-t.trackedlink.net","https://r1.trackedweb.net","https://ssl.gstatic.com","https://trackedlink.net","https://updates.galbraithgroup.com","https://www.google-analytics.com","https://www.google.com","https://www.googletagmanager.com","https://www.gstatic.com"],"style-src":["'self'","'unsafe-inline'","https://fonts.googleapis.com"],"upgrade-insecure-requests":[]},"directiveOrder":["default-src","base-uri","object-src","frame-ancestors","upgrade-insecure-requests","form-action","script-src","style-src","img-src","font-src","connect-src","frame-src"],"disposition":"enforce","delivery":"header","sourceMapping":{"'nonce-HWNVh/r/FLzft3KPy26z/w=='":"nonce-source","'none'":"keyword-source","'self'":"keyword-source","'strict-dynamic'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","data:":"scheme-source","https://*.dotdigital-email.com":"host-source","https://*.dotdigital-pages.com":"host-source","https://*.dotdigital.com":"host-source","https://*.dotdigitalusercontent.com":"host-source","https://*.matterport.com":"host-source","https://*.spotifycdn.com/":"host-source","https://*.vimeocdn.com":"host-source","https://1e55cf80e33fe9dfb04fb5c9157e80.a7.environment.api.powerplatform.com":"host-source","https://ad.doubleclick.net/ccm/s/collect":"host-source","https://analytics.google.com":"host-source","https://consent.cookiebot.com":"host-source","https://consentcdn.cookiebot.com":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://i.vimeocdn.com":"host-source","https://image.isu.pub":"host-source","https://kuula.co":"host-source","https://maps.googleapis.com":"host-source","https://maps.gstatic.com":"host-source","https://mapsresources-pa.googleapis.com":"host-source","https://my.matterport.com":"host-source","https://open.spotify.com":"host-source","https://places.googleapis.com":"host-source","https://player.vimeo.com":"host-source","https://r1-t.trackedlink.net":"host-source","https://r1.trackedweb.net":"host-source","https://raw.githubusercontent.com/sandyk-w/staticfiles/main/mapPinDarkBlue.png":"host-source","https://region1.analytics.google.com":"host-source","https://region1.google-analytics.com":"host-source","https://ssl.gstatic.com":"host-source","https://stats.g.doubleclick.net/g/collect":"host-source","https://trackedlink.net":"host-source","https://updates.galbraithgroup.com":"host-source","https://vimeo.com":"host-source","https://www.google-analytics.com":"host-source","https://www.google.co.uk":"host-source","https://www.google.co.uk/ads/ga-audiences":"host-source","https://www.google.com":"host-source","https://www.google.com/ccm/collect":"host-source","https://www.googletagmanager.com":"host-source","https://www.gstatic.com":"host-source","https://www.youtube-nocookie.com":"host-source","https://www.youtube.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'nonce-HWNVh/r/FLzft3KPy26z/w==' 'self' 'strict-dynamic' 'unsafe-eval' https://*.dotdigital-email.com https://*.dotdigital-pages.com https://*.dotdigital.com https://*.dotdigitalusercontent.com https://analytics.google.com https://consent.cookiebot.com https://consentcdn.cookiebot.com https://maps.googleapis.com https://maps.gstatic.com https://mapsresources-pa.googleapis.com https://r1-t.trackedlink.net https://r1.trackedweb.net https://ssl.gstatic.com https://trackedlink.net https://updates.galbraithgroup.com https://www.google-analytics.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; object-src 'none'; base-uri 'self'; connect-src 'self' https://*.dotdigital-email.com https://*.dotdigital-pages.com https://*.dotdigital.com https://*.dotdigitalusercontent.com https://ad.doubleclick.net/ccm/s/collect https://consent.cookiebot.com https://consentcdn.cookiebot.com https://maps.googleapis.com https://maps.gstatic.com https://mapsresources-pa.googleapis.com https://open.spotify.com https://places.googleapis.com https://r1.trackedweb.net https://region1.analytics.google.com https://region1.google-analytics.com https://stats.g.doubleclick.net/g/collect https://vimeo.com https://www.google-analytics.com https://www.google.com/ccm/collect https://www.googletagmanager.com; font-src 'self' https://fonts.gstatic.com; form-action 'self' https://1e55cf80e33fe9dfb04fb5c9157e80.a7.environment.api.powerplatform.com; frame-ancestors 'none'; frame-src 'self' https://*.matterport.com https://*.vimeocdn.com https://consentcdn.cookiebot.com https://kuula.co https://my.matterport.com https://open.spotify.com https://player.vimeo.com https://www.youtube-nocookie.com https://www.youtube.com; img-src 'self' data: https://*.spotifycdn.com/ https://*.vimeocdn.com https://i.vimeocdn.com https://image.isu.pub https://maps.googleapis.com https://maps.gstatic.com https://mapsresources-pa.googleapis.com https://places.googleapis.com https://raw.githubusercontent.com/sandyk-w/staticfiles/main/mapPinDarkBlue.png https://region1.google-analytics.com https://www.google-analytics.com https://www.google.co.uk https://www.google.co.uk/ads/ga-audiences https://www.googletagmanager.com; upgrade-insecure-requests ;"],"stats":{"totalHigh":0,"totalMedium":21,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://r1-t.trackedlink.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.dotdigital-email.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.dotdigital-pages.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.dotdigital.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.dotdigitalusercontent.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://analytics.google.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://consent.cookiebot.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://consentcdn.cookiebot.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://maps.googleapis.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://maps.gstatic.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://mapsresources-pa.googleapis.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://ssl.gstatic.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://r1.trackedweb.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://trackedlink.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://updates.galbraithgroup.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.google-analytics.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.google.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.googletagmanager.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.gstatic.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"img-src","source":"https://www.google.co.uk/ads/ga-audiences","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a54f3b4282f32c00d5a5f32","ts":"2026-07-13T14:18:28.206Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://apexprevention.com/","isHidden":false,"parsedPolicy":{"policy":"upgrade-insecure-requests;","directives":{"upgrade-insecure-requests":[]},"directiveOrder":["upgrade-insecure-requests"],"disposition":"enforce","delivery":"header","sourceMapping":{}},"disposition":"enforce","source":"header","policies":["upgrade-insecure-requests ;"],"stats":{"totalHigh":2,"totalMedium":2,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing script-src (no default src)","severity":"HIGH","directive":"script","source":"","message":"script-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set script-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a54e3ff9b3483eecbc3687d","ts":"2026-07-13T13:11:27.995Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://pwpa.ltimindtree.com","isHidden":false,"parsedPolicy":{"policy":"form-action 'self'; report-to 'self'; frame-ancestors 'self'","directives":{"form-action":["'self'"],"frame-ancestors":["'self'"],"report-to":["'self'"]},"directiveOrder":["form-action","report-to","frame-ancestors"],"disposition":"enforce","delivery":"header","sourceMapping":{"'self'":"keyword-source"}},"disposition":"enforce","source":"header","policies":["form-action 'self'; frame-ancestors 'self'; report-to 'self';"],"stats":{"totalHigh":2,"totalMedium":1,"totalLow":2,"totalInfo":0},"recommendations":[{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing script-src (no default src)","severity":"HIGH","directive":"script","source":"","message":"script-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set script-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a54dca79b3483eecbc3687c","ts":"2026-07-13T12:40:07.091Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://view.relacionamento.arcelormittal.com.br/Error.aspx","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; frame-ancestors 'self'","directives":{"default-src":["'self'"],"frame-ancestors":["'self'"]},"directiveOrder":["default-src","frame-ancestors"],"disposition":"enforce","delivery":"header","sourceMapping":{"'self'":"keyword-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; frame-ancestors 'self';"],"stats":{"totalHigh":0,"totalMedium":4,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing object-src (with non-restrictive default-src)","severity":"MEDIUM","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing script-src (with default-src)","severity":"MEDIUM","directive":"script-src","source":"","message":"script-src is a sensitive directive that may allow XSS (or similar) if missing. Right now it is falling back to default-src","recommendation":"Set script-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a54cefd282f32c00d5a5f2f","ts":"2026-07-13T11:41:49.435Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://sci.conautrj.com.br/","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; font-src 'self' data: https:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';","directives":{"base-uri":["'self'"],"connect-src":["'self'"],"default-src":["'self'"],"font-src":["'self'","data:","https:"],"form-action":["'self'"],"frame-ancestors":["'self'"],"img-src":["'self'","blob:","data:","https:"],"object-src":["'none'"],"script-src":["'self'","'unsafe-inline'"],"style-src":["'self'","'unsafe-inline'"]},"directiveOrder":["default-src","script-src","style-src","img-src","font-src","connect-src","object-src","frame-ancestors","base-uri","form-action"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-inline'":"keyword-source","blob:":"scheme-source","data:":"scheme-source","https:":"scheme-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self' data: https:; form-action 'self'; frame-ancestors 'self'; img-src 'self' blob: data: https:;"],"stats":{"totalHigh":1,"totalMedium":1,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a54c1f6282f32c00d5a5f2e","ts":"2026-07-13T10:46:14.321Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://ultimaworks.ltimindtree.com/","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.botframework.com https://spdevstrgprod.blob.core.windows.net blob: https://cdn.ckeditor.com https://proxy-event.ckeditor.com; font-src 'self' https://fonts.gstatic.com blob: https://cdn.ckeditor.com https://proxy-event.ckeditor.com; style-src-elem 'self' 'unsafe-inline' https://fonts.googleapis.com https://spdevstrgprod.blob.core.windows.neti blob: https://cdn.ckeditor.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://ultimaworks.ltimindtree.com https://cdn.ckeditor.com https://proxy-event.ckeditor.com; img-src 'self' https://ultimabot-teams-prod.azurewebsites.net/ https://ultimaworks.blob.core.windows.net/ https://mt-ultima-webbot-prod.azurewebsites.net https://stultimabotprod.blob.core.windows.net/ data: blob: https://cdn.ckeditor.com https://proxy-event.ckeditor.com; connect-src 'self' https://login.microsoftonline.com/ https://res.cdn.office.net/ https://7cb20a45c635e360ba9b39f952c023.da.environment.api.powerplatform.com/ https://6fdfe4acb72ee4eba7e4d02e4164b3.d9.environment.api.powerplatform.com/ https://ultimaworksapi.ltimindtree.com/ https://ultimaworks.blob.core.windows.net/ https://ultimaworks.ltimindtree.com https://directline.botframework.com wss://directline.botframework.com https://ultimabot-api-prod.azurewebsites.net/ https://mtultimamobileprod.z30.web.core.windows.net blob: https://pws-collect.pdftron.com https://um.ltimindtree.com https://www.pdftron.com blob: https://cdn.ckeditor.com https://proxy-event.ckeditor.com; frame-src https://ethrapps.ltimindtree.com https://etsfapps.ltimindtree.com/ https://bookmyseat.ltimindtree.com/ https://ideal.ltimindtree.com/ https://app.powerbi.com https://surpaasmaas.corenttechnology.com https://apps.powerapps.com https://digital.ltimindtree.com/ https://ultimaworks.ltimindtree.com/ blob:; worker-src https://ultimaworks.ltimindtree.com https://cdn.ckeditor.com https://proxy-event.ckeditor.com; script-src-elem 'self' 'unsafe-inline' https://alcdn.msauth.net/ https://alcdn.msftauth.net/ https://spdevstrgprod.blob.core.windows.net https://cdn.jsdelivr.net https://cdn.botframework.com blob: https://cdn.ckeditor.com https://proxy-event.ckeditor.com; media-src 'self' 'unsafe-inline' https://ultimaworks.blob.core.windows.net/ blob: https://stultimabotprod.blob.core.windows.net/ https://cdn.ckeditor.com https://proxy-event.ckeditor.com; frame-ancestors 'self' https://ultimaworks.ltimindtree.com https://teams.microsoft.com https://login.microsoftonline.com;","directives":{"connect-src":["'self'","blob:","blob:","https://6fdfe4acb72ee4eba7e4d02e4164b3.d9.environment.api.powerplatform.com/","https://7cb20a45c635e360ba9b39f952c023.da.environment.api.powerplatform.com/","https://cdn.ckeditor.com","https://directline.botframework.com","https://login.microsoftonline.com/","https://mtultimamobileprod.z30.web.core.windows.net","https://proxy-event.ckeditor.com","https://pws-collect.pdftron.com","https://res.cdn.office.net/","https://ultimabot-api-prod.azurewebsites.net/","https://ultimaworks.blob.core.windows.net/","https://ultimaworks.ltimindtree.com","https://ultimaworksapi.ltimindtree.com/","https://um.ltimindtree.com","https://www.pdftron.com","wss://directline.botframework.com"],"default-src":["'self'"],"font-src":["'self'","blob:","https://cdn.ckeditor.com","https://fonts.gstatic.com","https://proxy-event.ckeditor.com"],"frame-ancestors":["'self'","https://login.microsoftonline.com","https://teams.microsoft.com","https://ultimaworks.ltimindtree.com"],"frame-src":["blob:","https://app.powerbi.com","https://apps.powerapps.com","https://bookmyseat.ltimindtree.com/","https://digital.ltimindtree.com/","https://ethrapps.ltimindtree.com","https://etsfapps.ltimindtree.com/","https://ideal.ltimindtree.com/","https://surpaasmaas.corenttechnology.com","https://ultimaworks.ltimindtree.com/"],"img-src":["'self'","blob:","data:","https://cdn.ckeditor.com","https://mt-ultima-webbot-prod.azurewebsites.net","https://proxy-event.ckeditor.com","https://stultimabotprod.blob.core.windows.net/","https://ultimabot-teams-prod.azurewebsites.net/","https://ultimaworks.blob.core.windows.net/"],"media-src":["'self'","'unsafe-inline'","blob:","https://cdn.ckeditor.com","https://proxy-event.ckeditor.com","https://stultimabotprod.blob.core.windows.net/","https://ultimaworks.blob.core.windows.net/"],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'","blob:","https://cdn.botframework.com","https://cdn.ckeditor.com","https://proxy-event.ckeditor.com","https://spdevstrgprod.blob.core.windows.net"],"script-src-elem":["'self'","'unsafe-inline'","blob:","https://alcdn.msauth.net/","https://alcdn.msftauth.net/","https://cdn.botframework.com","https://cdn.ckeditor.com","https://cdn.jsdelivr.net","https://proxy-event.ckeditor.com","https://spdevstrgprod.blob.core.windows.net"],"style-src":["'self'","'unsafe-inline'","https://cdn.ckeditor.com","https://fonts.googleapis.com","https://proxy-event.ckeditor.com","https://ultimaworks.ltimindtree.com"],"style-src-elem":["'self'","'unsafe-inline'","blob:","https://cdn.ckeditor.com","https://fonts.googleapis.com","https://spdevstrgprod.blob.core.windows.neti"],"worker-src":["https://cdn.ckeditor.com","https://proxy-event.ckeditor.com","https://ultimaworks.ltimindtree.com"]},"directiveOrder":["default-src","script-src","font-src","style-src-elem","style-src","img-src","connect-src","frame-src","worker-src","script-src-elem","media-src","frame-ancestors"],"disposition":"enforce","delivery":"header","sourceMapping":{"'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","blob:":"scheme-source","data:":"scheme-source","https://6fdfe4acb72ee4eba7e4d02e4164b3.d9.environment.api.powerplatform.com/":"host-source","https://7cb20a45c635e360ba9b39f952c023.da.environment.api.powerplatform.com/":"host-source","https://alcdn.msauth.net/":"host-source","https://alcdn.msftauth.net/":"host-source","https://app.powerbi.com":"host-source","https://apps.powerapps.com":"host-source","https://bookmyseat.ltimindtree.com/":"host-source","https://cdn.botframework.com":"host-source","https://cdn.ckeditor.com":"host-source","https://cdn.jsdelivr.net":"host-source","https://digital.ltimindtree.com/":"host-source","https://directline.botframework.com":"host-source","https://ethrapps.ltimindtree.com":"host-source","https://etsfapps.ltimindtree.com/":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://ideal.ltimindtree.com/":"host-source","https://login.microsoftonline.com":"host-source","https://login.microsoftonline.com/":"host-source","https://mt-ultima-webbot-prod.azurewebsites.net":"host-source","https://mtultimamobileprod.z30.web.core.windows.net":"host-source","https://proxy-event.ckeditor.com":"host-source","https://pws-collect.pdftron.com":"host-source","https://res.cdn.office.net/":"host-source","https://spdevstrgprod.blob.core.windows.net":"host-source","https://spdevstrgprod.blob.core.windows.neti":"host-source","https://stultimabotprod.blob.core.windows.net/":"host-source","https://surpaasmaas.corenttechnology.com":"host-source","https://teams.microsoft.com":"host-source","https://ultimabot-api-prod.azurewebsites.net/":"host-source","https://ultimabot-teams-prod.azurewebsites.net/":"host-source","https://ultimaworks.blob.core.windows.net/":"host-source","https://ultimaworks.ltimindtree.com":"host-source","https://ultimaworks.ltimindtree.com/":"host-source","https://ultimaworksapi.ltimindtree.com/":"host-source","https://um.ltimindtree.com":"host-source","https://www.pdftron.com":"host-source","wss://directline.botframework.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' blob: https://cdn.botframework.com https://cdn.ckeditor.com https://proxy-event.ckeditor.com https://spdevstrgprod.blob.core.windows.net; script-src-elem 'self' 'unsafe-inline' blob: https://alcdn.msauth.net/ https://alcdn.msftauth.net/ https://cdn.botframework.com https://cdn.ckeditor.com https://cdn.jsdelivr.net https://proxy-event.ckeditor.com https://spdevstrgprod.blob.core.windows.net; style-src 'self' 'unsafe-inline' https://cdn.ckeditor.com https://fonts.googleapis.com https://proxy-event.ckeditor.com https://ultimaworks.ltimindtree.com; style-src-elem 'self' 'unsafe-inline' blob: https://cdn.ckeditor.com https://fonts.googleapis.com https://spdevstrgprod.blob.core.windows.neti; connect-src 'self' blob: https://6fdfe4acb72ee4eba7e4d02e4164b3.d9.environment.api.powerplatform.com/ https://7cb20a45c635e360ba9b39f952c023.da.environment.api.powerplatform.com/ https://cdn.ckeditor.com https://directline.botframework.com https://login.microsoftonline.com/ https://mtultimamobileprod.z30.web.core.windows.net https://proxy-event.ckeditor.com https://pws-collect.pdftron.com https://res.cdn.office.net/ https://ultimabot-api-prod.azurewebsites.net/ https://ultimaworks.blob.core.windows.net/ https://ultimaworks.ltimindtree.com https://ultimaworksapi.ltimindtree.com/ https://um.ltimindtree.com https://www.pdftron.com wss://directline.botframework.com; font-src 'self' blob: https://cdn.ckeditor.com https://fonts.gstatic.com https://proxy-event.ckeditor.com; frame-ancestors 'self' https://login.microsoftonline.com https://teams.microsoft.com https://ultimaworks.ltimindtree.com; frame-src blob: https://app.powerbi.com https://apps.powerapps.com https://bookmyseat.ltimindtree.com/ https://digital.ltimindtree.com/ https://ethrapps.ltimindtree.com https://etsfapps.ltimindtree.com/ https://ideal.ltimindtree.com/ https://surpaasmaas.corenttechnology.com https://ultimaworks.ltimindtree.com/; img-src 'self' blob: data: https://cdn.ckeditor.com https://mt-ultima-webbot-prod.azurewebsites.net https://proxy-event.ckeditor.com https://stultimabotprod.blob.core.windows.net/ https://ultimabot-teams-prod.azurewebsites.net/ https://ultimaworks.blob.core.windows.net/; media-src 'self' 'unsafe-inline' blob: https://cdn.ckeditor.com https://proxy-event.ckeditor.com https://stultimabotprod.blob.core.windows.net/ https://ultimaworks.blob.core.windows.net/; worker-src https://cdn.ckeditor.com https://proxy-event.ckeditor.com https://ultimaworks.ltimindtree.com;"],"stats":{"totalHigh":1,"totalMedium":8,"totalLow":7,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://spdevstrgprod.blob.core.windows.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdn.botframework.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://proxy-event.ckeditor.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing object-src (with non-restrictive default-src)","severity":"MEDIUM","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdn.ckeditor.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"media-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"style-src-elem","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"script-src-elem","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a54c0929b3483eecbc36877","ts":"2026-07-13T10:40:18.588Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://identity-ind.energyexemplar.com","isHidden":false,"parsedPolicy":{"policy":"frame-ancestors 'none';default-src 'self';img-src 'self' data: blob: data.eu.pendo.io cdn.eu.pendo.io app.eu.pendo.io https://pendo-eu-static-5648358927892480.storage.googleapis.com data.tpanalytics.energyexemplar.com https://content.tpanalytics.energyexemplar.com;script-src 'self' *.azureedge.net d3sbxpiag177w8.cloudfront.net data.tpanalytics.energyexemplar.com content.tpanalytics.energyexemplar.com app.eu.pendo.io cdn.eu.pendo.io data.eu.pendo.io pendo-eu-io-static.storage.googleapis.com pendo-static-5648358927892480.storage.googleapis.com;style-src 'self' 'unsafe-inline' *.googleapis.com content.tpanalytics.energyexemplar.com data.tpanalytics.energyexemplar.com app.eu.pendo.io cdn.eu.pendo.io pendo-eu-static-5648358927892480.storage.googleapis.com;connect-src 'self' *.energyexemplar.com dc.services.visualstudio.com https://*.tiles.mapbox.com https://api.mapbox.com https://events.mapbox.com app.eu.pendo.io data.eu.pendo.io pendo-eu-static-5648358927892480.storage.googleapis.com data.tpanalytics.energyexemplar.com content.tpanalytics.energyexemplar.com https://js.monitor.azure.com;frame-src 'self' *.energyexemplar.com https://www.google.com app.eu.pendo.io;font-src 'self' data: fonts.gstatic.com;child-src 'self' blob:;worker-src 'self' blob:;object-src 'self';base-uri 'none';media-src https://vimeo.com;","directives":{"base-uri":["'none'"],"child-src":["'self'","blob:"],"connect-src":["'self'","*.energyexemplar.com","app.eu.pendo.io","content.tpanalytics.energyexemplar.com","data.eu.pendo.io","data.tpanalytics.energyexemplar.com","dc.services.visualstudio.com","https://*.tiles.mapbox.com","https://api.mapbox.com","https://events.mapbox.com","https://js.monitor.azure.com","pendo-eu-static-5648358927892480.storage.googleapis.com"],"default-src":["'self'"],"font-src":["'self'","data:","fonts.gstatic.com"],"frame-ancestors":["'none'"],"frame-src":["'self'","*.energyexemplar.com","app.eu.pendo.io","https://www.google.com"],"img-src":["'self'","app.eu.pendo.io","blob:","cdn.eu.pendo.io","data.eu.pendo.io","data.tpanalytics.energyexemplar.com","data:","https://content.tpanalytics.energyexemplar.com","https://pendo-eu-static-5648358927892480.storage.googleapis.com"],"media-src":["https://vimeo.com"],"object-src":["'self'"],"script-src":["'self'","*.azureedge.net","app.eu.pendo.io","cdn.eu.pendo.io","content.tpanalytics.energyexemplar.com","d3sbxpiag177w8.cloudfront.net","data.eu.pendo.io","data.tpanalytics.energyexemplar.com","pendo-eu-io-static.storage.googleapis.com","pendo-static-5648358927892480.storage.googleapis.com"],"style-src":["'self'","'unsafe-inline'","*.googleapis.com","app.eu.pendo.io","cdn.eu.pendo.io","content.tpanalytics.energyexemplar.com","data.tpanalytics.energyexemplar.com","pendo-eu-static-5648358927892480.storage.googleapis.com"],"worker-src":["'self'","blob:"]},"directiveOrder":["frame-ancestors","default-src","img-src","script-src","style-src","connect-src","frame-src","font-src","child-src","worker-src","object-src","base-uri","media-src"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-inline'":"keyword-source","*.azureedge.net":"host-source","*.energyexemplar.com":"host-source","*.googleapis.com":"host-source","app.eu.pendo.io":"host-source","blob:":"scheme-source","cdn.eu.pendo.io":"host-source","content.tpanalytics.energyexemplar.com":"host-source","d3sbxpiag177w8.cloudfront.net":"host-source","data.eu.pendo.io":"host-source","data.tpanalytics.energyexemplar.com":"host-source","data:":"scheme-source","dc.services.visualstudio.com":"host-source","fonts.gstatic.com":"host-source","https://*.tiles.mapbox.com":"host-source","https://api.mapbox.com":"host-source","https://content.tpanalytics.energyexemplar.com":"host-source","https://events.mapbox.com":"host-source","https://js.monitor.azure.com":"host-source","https://pendo-eu-static-5648358927892480.storage.googleapis.com":"host-source","https://vimeo.com":"host-source","https://www.google.com":"host-source","pendo-eu-io-static.storage.googleapis.com":"host-source","pendo-eu-static-5648358927892480.storage.googleapis.com":"host-source","pendo-static-5648358927892480.storage.googleapis.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self' *.azureedge.net app.eu.pendo.io cdn.eu.pendo.io content.tpanalytics.energyexemplar.com d3sbxpiag177w8.cloudfront.net data.eu.pendo.io data.tpanalytics.energyexemplar.com pendo-eu-io-static.storage.googleapis.com pendo-static-5648358927892480.storage.googleapis.com; style-src 'self' 'unsafe-inline' *.googleapis.com app.eu.pendo.io cdn.eu.pendo.io content.tpanalytics.energyexemplar.com data.tpanalytics.energyexemplar.com pendo-eu-static-5648358927892480.storage.googleapis.com; object-src 'self'; base-uri 'none'; child-src 'self' blob:; connect-src 'self' *.energyexemplar.com app.eu.pendo.io content.tpanalytics.energyexemplar.com data.eu.pendo.io data.tpanalytics.energyexemplar.com dc.services.visualstudio.com https://*.tiles.mapbox.com https://api.mapbox.com https://events.mapbox.com https://js.monitor.azure.com pendo-eu-static-5648358927892480.storage.googleapis.com; font-src 'self' data: fonts.gstatic.com; frame-ancestors 'none'; frame-src 'self' *.energyexemplar.com app.eu.pendo.io https://www.google.com; img-src 'self' app.eu.pendo.io blob: cdn.eu.pendo.io data.eu.pendo.io data.tpanalytics.energyexemplar.com data: https://content.tpanalytics.energyexemplar.com https://pendo-eu-static-5648358927892480.storage.googleapis.com; media-src https://vimeo.com; worker-src 'self' blob:;"],"stats":{"totalHigh":0,"totalMedium":10,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"data.eu.pendo.io","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"app.eu.pendo.io","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"cdn.eu.pendo.io","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"content.tpanalytics.energyexemplar.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"d3sbxpiag177w8.cloudfront.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"pendo-eu-io-static.storage.googleapis.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"data.tpanalytics.energyexemplar.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.azureedge.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"pendo-static-5648358927892480.storage.googleapis.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a54c08f282f32c00d5a5f2d","ts":"2026-07-13T10:40:15.564Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://ultimaworksqa.ltimindtree.com/","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'self' 'nonce-05d58597f1aea4b70292eea3a29cb578' 'nonce-05d58597f1aea4b70292eea3a29cb578' https://cdn.botframework.com https://spdevstrgprod.blob.core.windows.net https://stultimabotprod.blob.core.windows.net/ https://cdn.ckeditor.com https://proxy-event.ckeditor.com; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com data: https://cdn.ckeditor.com https://proxy-event.ckeditor.com; style-src-elem 'self' 'unsafe-inline' https://fonts.googleapis.com https://spdevstrgprod.blob.core.windows.net https://stultimabotprod.blob.core.windows.net/ https://toert.github.io https://cdnjs.cloudflare.com https://cdn.ckeditor.com; style-src 'self' 'unsafe-inline' 'nonce-05d58597f1aea4b70292eea3a29cb578' https://fonts.googleapis.com https://ultimaworksqa.ltimindtree.com https://cdn.ckeditor.com https://proxy-event.ckeditor.com; img-src 'self' https://ultimaworksqa.blob.core.windows.net/ https://ultimaworksqa.ltimindtree.com https://mt-ultima-webbot-prod.azurewebsites.net https://gateway.zscaler.net/ https://stultimabotprod.blob.core.windows.net/ data: https://cdn.ckeditor.com https://proxy-event.ckeditor.com https://nominatim.openstreetmap.org/ https://ultima-teamsbot-qa.azurewebsites.net/ https://ultimabot-teams-prod.azurewebsites.net/; connect-src 'self' https://res.cdn.office.net/ https://75deb2c391e9e4babf5afce4cbb561.d5.environment.api.powerplatform.com https://43b4659d9156e89f833c661f5ef8de.12.environment.api.powerplatform.com/ https://onboarding-qa-bmazd0aqfgcwb6gx.southindia-01.azurewebsites.net/ https://res.cdn.office.net/ https://login.microsoftonline.com/ https://ultimaworksqa.ltimindtree.com https://ultimaworksqa.ltimindtree.info https://directline.botframework.com https://ultimabot-api-qa.azurewebsites.net/ wss://directline.botframework.com https://mtultimamobileqa.z30.web.core.windows.net https://pws-collect.pdftron.com https://www.pdftron.com/ https://cdn.ckeditor.com https://proxy-event.ckeditor.com https://nominatim.openstreetmap.org/ https://ultima-gateway.lemonbush-589da17d.southindia.azurecontainerapps.io/; frame-src https://ethrappsqa.azurewebsites.net/ https://copilotstudio.microsoft.com/ https://webchat.botframework.com/ https://ultimaworksqa.blob.core.windows.net/ https://obligations.azurewebsites.net/ https://app.snowflake.com/ https://pmsgoals.azurewebsites.net/ https://etisupportqa.azurewebsites.net https://viewletterqa.azurewebsites.net/ https://payplanning.ltimindtree.com/ https://marketpriceqa.azurewebsites.net/ https://seatm-demo.azurewebsites.net/ https://clmqa.azurewebsites.net/ https://apps.powerapps.com/ https://app.powerbi.com https://ltimindtree.sharepoint.com/ https://mindtreeonline.sharepoint.com https://login.microsoftonline.com https://ultimaworksqa.ltimindtree.com/ https://iattendance.ltimindtree.com/ https://digital-staging.ltimindtree.com/ https://digital.ltimindtree.com/ https://bookmyseat.ltimindtree.com/ https://ltim-icardsecurity-qa.azurewebsites.net https://vmsqa.ltimindtree.info/ https://ideamanagement.azurewebsites.net/ https://nominatim.openstreetmap.org/ https://ultimacacsbeta.azurewebsites.net; worker-src https://ultimaworksqa.ltimindtree.com https://cdn.ckeditor.com https://proxy-event.ckeditor.com; script-src-elem 'self' 'unsafe-inline' https://alcdn.msauth.net/ https://cdn.jsdelivr.net https://cdn.botframework.com/ https://statics.teams.cdn.office.net blob: https://cdn.ckeditor.com https://proxy-event.ckeditor.com https://alcdn.msftauth.net/; media-src 'self' https://ultimaworksqa.blob.core.windows.net/ data: blob: https://cdn.ckeditor.com https://proxy-event.ckeditor.com; frame-ancestors 'self' https://ultimaworksqa.ltimindtree.com/ https://teams.microsoft.com https://login.microsoftonline.com https://seatm-demo.azurewebsites.net/ https://app.powerbi.com/ *.azurewebsites.net;","directives":{"connect-src":["'self'","https://43b4659d9156e89f833c661f5ef8de.12.environment.api.powerplatform.com/","https://75deb2c391e9e4babf5afce4cbb561.d5.environment.api.powerplatform.com","https://cdn.ckeditor.com","https://directline.botframework.com","https://login.microsoftonline.com/","https://mtultimamobileqa.z30.web.core.windows.net","https://nominatim.openstreetmap.org/","https://onboarding-qa-bmazd0aqfgcwb6gx.southindia-01.azurewebsites.net/","https://proxy-event.ckeditor.com","https://pws-collect.pdftron.com","https://res.cdn.office.net/","https://res.cdn.office.net/","https://ultima-gateway.lemonbush-589da17d.southindia.azurecontainerapps.io/","https://ultimabot-api-qa.azurewebsites.net/","https://ultimaworksqa.ltimindtree.com","https://ultimaworksqa.ltimindtree.info","https://www.pdftron.com/","wss://directline.botframework.com"],"default-src":["'self'"],"font-src":["'self'","data:","https://cdn.ckeditor.com","https://cdnjs.cloudflare.com","https://fonts.gstatic.com","https://proxy-event.ckeditor.com"],"frame-ancestors":["'self'","*.azurewebsites.net","https://app.powerbi.com/","https://login.microsoftonline.com","https://seatm-demo.azurewebsites.net/","https://teams.microsoft.com","https://ultimaworksqa.ltimindtree.com/"],"frame-src":["https://app.powerbi.com","https://app.snowflake.com/","https://apps.powerapps.com/","https://bookmyseat.ltimindtree.com/","https://clmqa.azurewebsites.net/","https://copilotstudio.microsoft.com/","https://digital-staging.ltimindtree.com/","https://digital.ltimindtree.com/","https://ethrappsqa.azurewebsites.net/","https://etisupportqa.azurewebsites.net","https://iattendance.ltimindtree.com/","https://ideamanagement.azurewebsites.net/","https://login.microsoftonline.com","https://ltim-icardsecurity-qa.azurewebsites.net","https://ltimindtree.sharepoint.com/","https://marketpriceqa.azurewebsites.net/","https://mindtreeonline.sharepoint.com","https://nominatim.openstreetmap.org/","https://obligations.azurewebsites.net/","https://payplanning.ltimindtree.com/","https://pmsgoals.azurewebsites.net/","https://seatm-demo.azurewebsites.net/","https://ultimacacsbeta.azurewebsites.net","https://ultimaworksqa.blob.core.windows.net/","https://ultimaworksqa.ltimindtree.com/","https://viewletterqa.azurewebsites.net/","https://vmsqa.ltimindtree.info/","https://webchat.botframework.com/"],"img-src":["'self'","data:","https://cdn.ckeditor.com","https://gateway.zscaler.net/","https://mt-ultima-webbot-prod.azurewebsites.net","https://nominatim.openstreetmap.org/","https://proxy-event.ckeditor.com","https://stultimabotprod.blob.core.windows.net/","https://ultima-teamsbot-qa.azurewebsites.net/","https://ultimabot-teams-prod.azurewebsites.net/","https://ultimaworksqa.blob.core.windows.net/","https://ultimaworksqa.ltimindtree.com"],"media-src":["'self'","blob:","data:","https://cdn.ckeditor.com","https://proxy-event.ckeditor.com","https://ultimaworksqa.blob.core.windows.net/"],"script-src":["'nonce-05d58597f1aea4b70292eea3a29cb578'","'nonce-05d58597f1aea4b70292eea3a29cb578'","'self'","https://cdn.botframework.com","https://cdn.ckeditor.com","https://proxy-event.ckeditor.com","https://spdevstrgprod.blob.core.windows.net","https://stultimabotprod.blob.core.windows.net/"],"script-src-elem":["'self'","'unsafe-inline'","blob:","https://alcdn.msauth.net/","https://alcdn.msftauth.net/","https://cdn.botframework.com/","https://cdn.ckeditor.com","https://cdn.jsdelivr.net","https://proxy-event.ckeditor.com","https://statics.teams.cdn.office.net"],"style-src":["'nonce-05d58597f1aea4b70292eea3a29cb578'","'self'","'unsafe-inline'","https://cdn.ckeditor.com","https://fonts.googleapis.com","https://proxy-event.ckeditor.com","https://ultimaworksqa.ltimindtree.com"],"style-src-elem":["'self'","'unsafe-inline'","https://cdn.ckeditor.com","https://cdnjs.cloudflare.com","https://fonts.googleapis.com","https://spdevstrgprod.blob.core.windows.net","https://stultimabotprod.blob.core.windows.net/","https://toert.github.io"],"worker-src":["https://cdn.ckeditor.com","https://proxy-event.ckeditor.com","https://ultimaworksqa.ltimindtree.com"]},"directiveOrder":["default-src","script-src","font-src","style-src-elem","style-src","img-src","connect-src","frame-src","worker-src","script-src-elem","media-src","frame-ancestors"],"disposition":"enforce","delivery":"header","sourceMapping":{"'nonce-05d58597f1aea4b70292eea3a29cb578'":"nonce-source","'self'":"keyword-source","'unsafe-inline'":"keyword-source","*.azurewebsites.net":"host-source","blob:":"scheme-source","data:":"scheme-source","https://43b4659d9156e89f833c661f5ef8de.12.environment.api.powerplatform.com/":"host-source","https://75deb2c391e9e4babf5afce4cbb561.d5.environment.api.powerplatform.com":"host-source","https://alcdn.msauth.net/":"host-source","https://alcdn.msftauth.net/":"host-source","https://app.powerbi.com":"host-source","https://app.powerbi.com/":"host-source","https://app.snowflake.com/":"host-source","https://apps.powerapps.com/":"host-source","https://bookmyseat.ltimindtree.com/":"host-source","https://cdn.botframework.com":"host-source","https://cdn.botframework.com/":"host-source","https://cdn.ckeditor.com":"host-source","https://cdn.jsdelivr.net":"host-source","https://cdnjs.cloudflare.com":"host-source","https://clmqa.azurewebsites.net/":"host-source","https://copilotstudio.microsoft.com/":"host-source","https://digital-staging.ltimindtree.com/":"host-source","https://digital.ltimindtree.com/":"host-source","https://directline.botframework.com":"host-source","https://ethrappsqa.azurewebsites.net/":"host-source","https://etisupportqa.azurewebsites.net":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://gateway.zscaler.net/":"host-source","https://iattendance.ltimindtree.com/":"host-source","https://ideamanagement.azurewebsites.net/":"host-source","https://login.microsoftonline.com":"host-source","https://login.microsoftonline.com/":"host-source","https://ltim-icardsecurity-qa.azurewebsites.net":"host-source","https://ltimindtree.sharepoint.com/":"host-source","https://marketpriceqa.azurewebsites.net/":"host-source","https://mindtreeonline.sharepoint.com":"host-source","https://mt-ultima-webbot-prod.azurewebsites.net":"host-source","https://mtultimamobileqa.z30.web.core.windows.net":"host-source","https://nominatim.openstreetmap.org/":"host-source","https://obligations.azurewebsites.net/":"host-source","https://onboarding-qa-bmazd0aqfgcwb6gx.southindia-01.azurewebsites.net/":"host-source","https://payplanning.ltimindtree.com/":"host-source","https://pmsgoals.azurewebsites.net/":"host-source","https://proxy-event.ckeditor.com":"host-source","https://pws-collect.pdftron.com":"host-source","https://res.cdn.office.net/":"host-source","https://seatm-demo.azurewebsites.net/":"host-source","https://spdevstrgprod.blob.core.windows.net":"host-source","https://statics.teams.cdn.office.net":"host-source","https://stultimabotprod.blob.core.windows.net/":"host-source","https://teams.microsoft.com":"host-source","https://toert.github.io":"host-source","https://ultima-gateway.lemonbush-589da17d.southindia.azurecontainerapps.io/":"host-source","https://ultima-teamsbot-qa.azurewebsites.net/":"host-source","https://ultimabot-api-qa.azurewebsites.net/":"host-source","https://ultimabot-teams-prod.azurewebsites.net/":"host-source","https://ultimacacsbeta.azurewebsites.net":"host-source","https://ultimaworksqa.blob.core.windows.net/":"host-source","https://ultimaworksqa.ltimindtree.com":"host-source","https://ultimaworksqa.ltimindtree.com/":"host-source","https://ultimaworksqa.ltimindtree.info":"host-source","https://viewletterqa.azurewebsites.net/":"host-source","https://vmsqa.ltimindtree.info/":"host-source","https://webchat.botframework.com/":"host-source","https://www.pdftron.com/":"host-source","wss://directline.botframework.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'nonce-05d58597f1aea4b70292eea3a29cb578' 'self' https://cdn.botframework.com https://cdn.ckeditor.com https://proxy-event.ckeditor.com https://spdevstrgprod.blob.core.windows.net https://stultimabotprod.blob.core.windows.net/; script-src-elem 'self' 'unsafe-inline' blob: https://alcdn.msauth.net/ https://alcdn.msftauth.net/ https://cdn.botframework.com/ https://cdn.ckeditor.com https://cdn.jsdelivr.net https://proxy-event.ckeditor.com https://statics.teams.cdn.office.net; style-src 'nonce-05d58597f1aea4b70292eea3a29cb578' 'self' 'unsafe-inline' https://cdn.ckeditor.com https://fonts.googleapis.com https://proxy-event.ckeditor.com https://ultimaworksqa.ltimindtree.com; style-src-elem 'self' 'unsafe-inline' https://cdn.ckeditor.com https://cdnjs.cloudflare.com https://fonts.googleapis.com https://spdevstrgprod.blob.core.windows.net https://stultimabotprod.blob.core.windows.net/ https://toert.github.io; connect-src 'self' https://43b4659d9156e89f833c661f5ef8de.12.environment.api.powerplatform.com/ https://75deb2c391e9e4babf5afce4cbb561.d5.environment.api.powerplatform.com https://cdn.ckeditor.com https://directline.botframework.com https://login.microsoftonline.com/ https://mtultimamobileqa.z30.web.core.windows.net https://nominatim.openstreetmap.org/ https://onboarding-qa-bmazd0aqfgcwb6gx.southindia-01.azurewebsites.net/ https://proxy-event.ckeditor.com https://pws-collect.pdftron.com https://res.cdn.office.net/ https://ultima-gateway.lemonbush-589da17d.southindia.azurecontainerapps.io/ https://ultimabot-api-qa.azurewebsites.net/ https://ultimaworksqa.ltimindtree.com https://ultimaworksqa.ltimindtree.info https://www.pdftron.com/ wss://directline.botframework.com; font-src 'self' data: https://cdn.ckeditor.com https://cdnjs.cloudflare.com https://fonts.gstatic.com https://proxy-event.ckeditor.com; frame-ancestors 'self' *.azurewebsites.net https://app.powerbi.com/ https://login.microsoftonline.com https://seatm-demo.azurewebsites.net/ https://teams.microsoft.com https://ultimaworksqa.ltimindtree.com/; frame-src https://app.powerbi.com https://app.snowflake.com/ https://apps.powerapps.com/ https://bookmyseat.ltimindtree.com/ https://clmqa.azurewebsites.net/ https://copilotstudio.microsoft.com/ https://digital-staging.ltimindtree.com/ https://digital.ltimindtree.com/ https://ethrappsqa.azurewebsites.net/ https://etisupportqa.azurewebsites.net https://iattendance.ltimindtree.com/ https://ideamanagement.azurewebsites.net/ https://login.microsoftonline.com https://ltim-icardsecurity-qa.azurewebsites.net https://ltimindtree.sharepoint.com/ https://marketpriceqa.azurewebsites.net/ https://mindtreeonline.sharepoint.com https://nominatim.openstreetmap.org/ https://obligations.azurewebsites.net/ https://payplanning.ltimindtree.com/ https://pmsgoals.azurewebsites.net/ https://seatm-demo.azurewebsites.net/ https://ultimacacsbeta.azurewebsites.net https://ultimaworksqa.blob.core.windows.net/ https://ultimaworksqa.ltimindtree.com/ https://viewletterqa.azurewebsites.net/ https://vmsqa.ltimindtree.info/ https://webchat.botframework.com/; img-src 'self' data: https://cdn.ckeditor.com https://gateway.zscaler.net/ https://mt-ultima-webbot-prod.azurewebsites.net https://nominatim.openstreetmap.org/ https://proxy-event.ckeditor.com https://stultimabotprod.blob.core.windows.net/ https://ultima-teamsbot-qa.azurewebsites.net/ https://ultimabot-teams-prod.azurewebsites.net/ https://ultimaworksqa.blob.core.windows.net/ https://ultimaworksqa.ltimindtree.com; media-src 'self' blob: data: https://cdn.ckeditor.com https://proxy-event.ckeditor.com https://ultimaworksqa.blob.core.windows.net/; worker-src https://cdn.ckeditor.com https://proxy-event.ckeditor.com https://ultimaworksqa.ltimindtree.com;"],"stats":{"totalHigh":0,"totalMedium":8,"totalLow":5,"totalInfo":0},"recommendations":[{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://proxy-event.ckeditor.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing object-src (with non-restrictive default-src)","severity":"MEDIUM","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdn.botframework.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdn.ckeditor.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://spdevstrgprod.blob.core.windows.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://stultimabotprod.blob.core.windows.net/","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"style-src-elem","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"script-src-elem","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a54ac0a9b3483eecbc36875","ts":"2026-07-13T09:12:42.992Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://services.aig.co.il/PersonalServices/#/login;url=%2Fmain-board","isHidden":false,"parsedPolicy":{"policy":"worker-src blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://firebase.googleapis.com/ https://*.aig.co.il/ https://*.google.com https://googleadservices.com/ https://doubleclick.net https://*.doubleclick.net https://fls.doubleclick.net https://doubleclick.com https://*.zemanta.com/ https://zemanta.com https://*.taboola.com https://*.outbrain.com/ https://facebook.com https://facebook.net https://fbcdn.net https://analytics.google.com https://*.googletagmanager.com/ https://www.google.co.il/ https://www.google.com/recaptcha/api.js https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js https://www.gstatic.com https://*.google-analytics.com/ https://www.googleadservices.com/pagead/conversion/ https://*.facebook.net/ https://*.g.doubleclick.net/ https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js https://code.jquery.com/jquery-1.11.0.js https://glsbx.aig.co.il https://glsbxtst.aig.co.il https://cdn.appdynamics.com/adrum/adrum-24.4.0.4454.js https://cdn.appdynamics.com/ https://*.google.co.il https://apps.mypurecloud.ie/; connect-src 'self' https://www.gstatic.com/ https://firebase.googleapis.com/ https://*.googleapis.com/ https://www.facebook.com https://*.google.com/ https://p1.outbrain.com/v2/p/js/ https://tr.outbrain.com/ https://*.google.com https://psb.taboola.com/ https://*.googletagmanager.com https://amplify.outbrain.com/ https://fra-col.eum-appdynamics.com/ https://api.eum-appdynamics.com/ https://fra-blob-service.eum-appdynamics.com/ https://glsbx.aig.co.il/ https://glsbxtst.aig.co.il https://trc-events.taboola.com/ https://trc.taboola.com/ https://www.googleadservices.com/ https://*.google-analytics.com/ https://*.doubleclick.net https://pips.taboola.com/ https://cds.taboola.com/ https://*.g.doubleclick.net/ https://*.google.co.il https://apps.mypurecloud.ie/ https://api-cdn.mypurecloud.ie/ wss://webmessaging.mypurecloud.ie/; img-src 'self' https://www.facebook.com https://connect.facebook.net/ https://*.google-analytics.com https://www.googletagmanager.com https://googletagmanager.com https://adservice.google.com https://*.google-analytics.com https://*.doubleclick.net https://ade.googlesyndication.com https://*.googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google.com https://*.google.co.il https://google.com https://*.g.doubleclick.net https://googleads.g.doubleclick.net https://www.googleadservices.com https://pagead2.googlesyndication.com https://fra-col.eum-appdynamics.com https://*.outbrain.com data: blob:; frame-src https://www.googletagmanager.com https://cdn.appdynamics.com/ https://*.doubleclick.net https://*.fls.doubleclick.net https://*.google.com https://*.google.co.il https://apps.mypurecloud.ie/;","directives":{"connect-src":["'self'","https://*.doubleclick.net","https://*.g.doubleclick.net/","https://*.google-analytics.com/","https://*.google.co.il","https://*.google.com","https://*.google.com/","https://*.googleapis.com/","https://*.googletagmanager.com","https://amplify.outbrain.com/","https://api-cdn.mypurecloud.ie/","https://api.eum-appdynamics.com/","https://apps.mypurecloud.ie/","https://cds.taboola.com/","https://firebase.googleapis.com/","https://fra-blob-service.eum-appdynamics.com/","https://fra-col.eum-appdynamics.com/","https://glsbx.aig.co.il/","https://glsbxtst.aig.co.il","https://p1.outbrain.com/v2/p/js/","https://pips.taboola.com/","https://psb.taboola.com/","https://tr.outbrain.com/","https://trc-events.taboola.com/","https://trc.taboola.com/","https://www.facebook.com","https://www.googleadservices.com/","https://www.gstatic.com/","wss://webmessaging.mypurecloud.ie/"],"frame-src":["https://*.doubleclick.net","https://*.fls.doubleclick.net","https://*.google.co.il","https://*.google.com","https://apps.mypurecloud.ie/","https://cdn.appdynamics.com/","https://www.googletagmanager.com"],"img-src":["'self'","blob:","data:","https://*.doubleclick.net","https://*.g.doubleclick.net","https://*.google-analytics.com","https://*.google-analytics.com","https://*.google.co.il","https://*.google.com","https://*.googletagmanager.com","https://*.outbrain.com","https://ade.googlesyndication.com","https://adservice.google.com","https://connect.facebook.net/","https://fra-col.eum-appdynamics.com","https://google.com","https://googleads.g.doubleclick.net","https://googletagmanager.com","https://pagead2.googlesyndication.com","https://ssl.gstatic.com","https://www.facebook.com","https://www.googleadservices.com","https://www.googletagmanager.com","https://www.gstatic.com"],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'","https://*.aig.co.il/","https://*.doubleclick.net","https://*.facebook.net/","https://*.g.doubleclick.net/","https://*.google-analytics.com/","https://*.google.co.il","https://*.google.com","https://*.googletagmanager.com/","https://*.outbrain.com/","https://*.taboola.com","https://*.zemanta.com/","https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js","https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js","https://analytics.google.com","https://apps.mypurecloud.ie/","https://cdn.appdynamics.com/","https://cdn.appdynamics.com/adrum/adrum-24.4.0.4454.js","https://code.jquery.com/jquery-1.11.0.js","https://doubleclick.com","https://doubleclick.net","https://facebook.com","https://facebook.net","https://fbcdn.net","https://firebase.googleapis.com/","https://fls.doubleclick.net","https://glsbx.aig.co.il","https://glsbxtst.aig.co.il","https://googleadservices.com/","https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js","https://www.google.co.il/","https://www.google.com/recaptcha/api.js","https://www.googleadservices.com/pagead/conversion/","https://www.gstatic.com","https://zemanta.com"],"worker-src":["blob:"]},"directiveOrder":["worker-src","script-src","connect-src","img-src","frame-src"],"disposition":"enforce","delivery":"header","sourceMapping":{"'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","blob:":"scheme-source","data:":"scheme-source","https://*.aig.co.il/":"host-source","https://*.doubleclick.net":"host-source","https://*.facebook.net/":"host-source","https://*.fls.doubleclick.net":"host-source","https://*.g.doubleclick.net":"host-source","https://*.g.doubleclick.net/":"host-source","https://*.google-analytics.com":"host-source","https://*.google-analytics.com/":"host-source","https://*.google.co.il":"host-source","https://*.google.com":"host-source","https://*.google.com/":"host-source","https://*.googleapis.com/":"host-source","https://*.googletagmanager.com":"host-source","https://*.googletagmanager.com/":"host-source","https://*.outbrain.com":"host-source","https://*.outbrain.com/":"host-source","https://*.taboola.com":"host-source","https://*.zemanta.com/":"host-source","https://ade.googlesyndication.com":"host-source","https://adservice.google.com":"host-source","https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js":"host-source","https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js":"host-source","https://amplify.outbrain.com/":"host-source","https://analytics.google.com":"host-source","https://api-cdn.mypurecloud.ie/":"host-source","https://api.eum-appdynamics.com/":"host-source","https://apps.mypurecloud.ie/":"host-source","https://cdn.appdynamics.com/":"host-source","https://cdn.appdynamics.com/adrum/adrum-24.4.0.4454.js":"host-source","https://cds.taboola.com/":"host-source","https://code.jquery.com/jquery-1.11.0.js":"host-source","https://connect.facebook.net/":"host-source","https://doubleclick.com":"host-source","https://doubleclick.net":"host-source","https://facebook.com":"host-source","https://facebook.net":"host-source","https://fbcdn.net":"host-source","https://firebase.googleapis.com/":"host-source","https://fls.doubleclick.net":"host-source","https://fra-blob-service.eum-appdynamics.com/":"host-source","https://fra-col.eum-appdynamics.com":"host-source","https://fra-col.eum-appdynamics.com/":"host-source","https://glsbx.aig.co.il":"host-source","https://glsbx.aig.co.il/":"host-source","https://glsbxtst.aig.co.il":"host-source","https://google.com":"host-source","https://googleads.g.doubleclick.net":"host-source","https://googleadservices.com/":"host-source","https://googletagmanager.com":"host-source","https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js":"host-source","https://p1.outbrain.com/v2/p/js/":"host-source","https://pagead2.googlesyndication.com":"host-source","https://pips.taboola.com/":"host-source","https://psb.taboola.com/":"host-source","https://ssl.gstatic.com":"host-source","https://tr.outbrain.com/":"host-source","https://trc-events.taboola.com/":"host-source","https://trc.taboola.com/":"host-source","https://www.facebook.com":"host-source","https://www.google.co.il/":"host-source","https://www.google.com/recaptcha/api.js":"host-source","https://www.googleadservices.com":"host-source","https://www.googleadservices.com/":"host-source","https://www.googleadservices.com/pagead/conversion/":"host-source","https://www.googletagmanager.com":"host-source","https://www.gstatic.com":"host-source","https://www.gstatic.com/":"host-source","https://zemanta.com":"host-source","wss://webmessaging.mypurecloud.ie/":"host-source"}},"disposition":"enforce","source":"header","policies":["script-src 'self' 'unsafe-eval' 'unsafe-inline' https://*.aig.co.il/ https://*.doubleclick.net https://*.facebook.net/ https://*.g.doubleclick.net/ https://*.google-analytics.com/ https://*.google.co.il https://*.google.com https://*.googletagmanager.com/ https://*.outbrain.com/ https://*.taboola.com https://*.zemanta.com/ https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js https://analytics.google.com https://apps.mypurecloud.ie/ https://cdn.appdynamics.com/ https://cdn.appdynamics.com/adrum/adrum-24.4.0.4454.js https://code.jquery.com/jquery-1.11.0.js https://doubleclick.com https://doubleclick.net https://facebook.com https://facebook.net https://fbcdn.net https://firebase.googleapis.com/ https://fls.doubleclick.net https://glsbx.aig.co.il https://glsbxtst.aig.co.il https://googleadservices.com/ https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js https://www.google.co.il/ https://www.google.com/recaptcha/api.js https://www.googleadservices.com/pagead/conversion/ https://www.gstatic.com https://zemanta.com; connect-src 'self' https://*.doubleclick.net https://*.g.doubleclick.net/ https://*.google-analytics.com/ https://*.google.co.il https://*.google.com https://*.google.com/ https://*.googleapis.com/ https://*.googletagmanager.com https://amplify.outbrain.com/ https://api-cdn.mypurecloud.ie/ https://api.eum-appdynamics.com/ https://apps.mypurecloud.ie/ https://cds.taboola.com/ https://firebase.googleapis.com/ https://fra-blob-service.eum-appdynamics.com/ https://fra-col.eum-appdynamics.com/ https://glsbx.aig.co.il/ https://glsbxtst.aig.co.il https://p1.outbrain.com/v2/p/js/ https://pips.taboola.com/ https://psb.taboola.com/ https://tr.outbrain.com/ https://trc-events.taboola.com/ https://trc.taboola.com/ https://www.facebook.com https://www.googleadservices.com/ https://www.gstatic.com/ wss://webmessaging.mypurecloud.ie/; frame-src https://*.doubleclick.net https://*.fls.doubleclick.net https://*.google.co.il https://*.google.com https://apps.mypurecloud.ie/ https://cdn.appdynamics.com/ https://www.googletagmanager.com; img-src 'self' blob: data: https://*.doubleclick.net https://*.g.doubleclick.net https://*.google-analytics.com https://*.google.co.il https://*.google.com https://*.googletagmanager.com https://*.outbrain.com https://ade.googlesyndication.com https://adservice.google.com https://connect.facebook.net/ https://fra-col.eum-appdynamics.com https://google.com https://googleads.g.doubleclick.net https://googletagmanager.com https://pagead2.googlesyndication.com https://ssl.gstatic.com https://www.facebook.com https://www.googleadservices.com https://www.googletagmanager.com https://www.gstatic.com; worker-src blob:;"],"stats":{"totalHigh":2,"totalMedium":31,"totalLow":5,"totalInfo":0},"recommendations":[{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdn.appdynamics.com/","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.aig.co.il/","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.doubleclick.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.facebook.net/","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.g.doubleclick.net/","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.google-analytics.com/","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.google.co.il","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.google.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.googletagmanager.com/","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.outbrain.com/","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.taboola.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.zemanta.com/","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://analytics.google.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://apps.mypurecloud.ie/","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://doubleclick.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Invalid use of IP address in source","severity":"MEDIUM","directive":"script-src","source":"https://cdn.appdynamics.com/adrum/adrum-24.4.0.4454.js","message":"It is invalid to use an IP address as a source. Please use the DNS name. (127.0.0.1 is valid, but should not be used in production)","recommendation":"Convert all IP address to DNS names","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.gstatic.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://facebook.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://facebook.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://fbcdn.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://firebase.googleapis.com/","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://fls.doubleclick.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://glsbx.aig.co.il","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://glsbxtst.aig.co.il","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://googleadservices.com/","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.google.co.il/","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://doubleclick.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://zemanta.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"script-src","source":"https://cdn.appdynamics.com/adrum/adrum-24.4.0.4454.js","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"connect-src","source":"https://*.google.com/","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]}]