[{"id":"694e327c0f790b66efabe398","ts":"2025-12-26T07:00:12.527Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://nursing.hhnsystem.com/login","isHidden":false,"parsedPolicy":{"policy":"default-src 'none'; script-src 'self' 'report-sample' https://platform.twitter.com/widgets.js https://plausible.io/js/plausible.js https://utteranc.es/client.js https://cdnjs.cloudflare.com/ajax/libs/; style-src 'self' https://fonts.googleapis.com 'report-sample'; img-src 'self' data: https://plausible.io https://avatars.githubusercontent.com; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://plausible.io/api/event; frame-src https://platform.twitter.com https://utteranc.es https://github.com https://www.youtube.com https://player.vimeo.com; media-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'; form-action 'self'; upgrade-insecure-requests; report-uri https://YOUR_ID.report.csper.io/csp","directives":{"base-uri":["'self'"],"connect-src":["'self'","https://plausible.io/api/event"],"default-src":["'none'"],"font-src":["'self'","https://fonts.gstatic.com"],"form-action":["'self'"],"frame-ancestors":["'self'"],"frame-src":["https://github.com","https://platform.twitter.com","https://player.vimeo.com","https://utteranc.es","https://www.youtube.com"],"img-src":["'self'","data:","https://avatars.githubusercontent.com","https://plausible.io"],"media-src":["'self'"],"object-src":["'none'"],"report-uri":["https://YOUR_ID.report.csper.io/csp"],"script-src":["'report-sample'","'self'","https://cdnjs.cloudflare.com/ajax/libs/","https://platform.twitter.com/widgets.js","https://plausible.io/js/plausible.js","https://utteranc.es/client.js"],"style-src":["'report-sample'","'self'","https://fonts.googleapis.com"],"upgrade-insecure-requests":[]},"directiveOrder":["default-src","script-src","style-src","img-src","font-src","connect-src","frame-src","media-src","object-src","base-uri","frame-ancestors","form-action","upgrade-insecure-requests","report-uri"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'report-sample'":"keyword-source","'self'":"keyword-source","data:":"scheme-source","https://YOUR_ID.report.csper.io/csp":"host-source","https://avatars.githubusercontent.com":"host-source","https://cdnjs.cloudflare.com/ajax/libs/":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://github.com":"host-source","https://platform.twitter.com":"host-source","https://platform.twitter.com/widgets.js":"host-source","https://plausible.io":"host-source","https://plausible.io/api/event":"host-source","https://plausible.io/js/plausible.js":"host-source","https://player.vimeo.com":"host-source","https://utteranc.es":"host-source","https://utteranc.es/client.js":"host-source","https://www.youtube.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'none'; script-src 'report-sample' 'self' https://cdnjs.cloudflare.com/ajax/libs/ https://platform.twitter.com/widgets.js https://plausible.io/js/plausible.js https://utteranc.es/client.js; style-src 'report-sample' 'self' https://fonts.googleapis.com; object-src 'none'; base-uri 'self'; connect-src 'self' https://plausible.io/api/event; font-src 'self' https://fonts.gstatic.com; form-action 'self'; frame-ancestors 'self'; frame-src https://github.com https://platform.twitter.com https://player.vimeo.com https://utteranc.es https://www.youtube.com; img-src 'self' data: https://avatars.githubusercontent.com https://plausible.io; media-src 'self'; report-uri https://YOUR_ID.report.csper.io/csp; upgrade-insecure-requests ;"],"stats":{"totalHigh":0,"totalMedium":0,"totalLow":0,"totalInfo":0},"recommendations":[]},{"id":"694e2ce1ca32a360dfdb99a6","ts":"2025-12-26T06:36:17.81Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://nursing.hhnsystem.com/dashboard","isHidden":false,"parsedPolicy":{"policy":"default-src 'none'; script-src 'self' 'report-sample' https://platform.twitter.com/widgets.js https://plausible.io/js/plausible.js https://utteranc.es/client.js https://cdnjs.cloudflare.com/ajax/libs/; style-src 'self' https://fonts.googleapis.com 'report-sample'; img-src 'self' data: https://plausible.io https://avatars.githubusercontent.com; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://plausible.io/api/event; frame-src https://platform.twitter.com https://utteranc.es https://github.com https://www.youtube.com https://player.vimeo.com; media-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'; form-action 'self'; upgrade-insecure-requests","directives":{"base-uri":["'self'"],"connect-src":["'self'","https://plausible.io/api/event"],"default-src":["'none'"],"font-src":["'self'","https://fonts.gstatic.com"],"form-action":["'self'"],"frame-ancestors":["'self'"],"frame-src":["https://github.com","https://platform.twitter.com","https://player.vimeo.com","https://utteranc.es","https://www.youtube.com"],"img-src":["'self'","data:","https://avatars.githubusercontent.com","https://plausible.io"],"media-src":["'self'"],"object-src":["'none'"],"script-src":["'report-sample'","'self'","https://cdnjs.cloudflare.com/ajax/libs/","https://platform.twitter.com/widgets.js","https://plausible.io/js/plausible.js","https://utteranc.es/client.js"],"style-src":["'report-sample'","'self'","https://fonts.googleapis.com"],"upgrade-insecure-requests":[]},"directiveOrder":["default-src","script-src","style-src","img-src","font-src","connect-src","frame-src","media-src","object-src","base-uri","frame-ancestors","form-action","upgrade-insecure-requests"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'report-sample'":"keyword-source","'self'":"keyword-source","data:":"scheme-source","https://avatars.githubusercontent.com":"host-source","https://cdnjs.cloudflare.com/ajax/libs/":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://github.com":"host-source","https://platform.twitter.com":"host-source","https://platform.twitter.com/widgets.js":"host-source","https://plausible.io":"host-source","https://plausible.io/api/event":"host-source","https://plausible.io/js/plausible.js":"host-source","https://player.vimeo.com":"host-source","https://utteranc.es":"host-source","https://utteranc.es/client.js":"host-source","https://www.youtube.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'none'; script-src 'report-sample' 'self' https://cdnjs.cloudflare.com/ajax/libs/ https://platform.twitter.com/widgets.js https://plausible.io/js/plausible.js https://utteranc.es/client.js; style-src 'report-sample' 'self' https://fonts.googleapis.com; object-src 'none'; base-uri 'self'; connect-src 'self' https://plausible.io/api/event; font-src 'self' https://fonts.gstatic.com; form-action 'self'; frame-ancestors 'self'; frame-src https://github.com https://platform.twitter.com https://player.vimeo.com https://utteranc.es https://www.youtube.com; img-src 'self' data: https://avatars.githubusercontent.com https://plausible.io; media-src 'self'; upgrade-insecure-requests ;"],"stats":{"totalHigh":0,"totalMedium":1,"totalLow":0,"totalInfo":0},"recommendations":[{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"}]},{"id":"694e281eca32a360dfdb99a4","ts":"2025-12-26T06:15:58.646Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://ticsupportla.com/dashboard","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'self'; style-src 'self'; style-src-attr 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'","directives":{"base-uri":["'self'"],"connect-src":["'self'"],"default-src":["'self'"],"font-src":["'self'"],"form-action":["'self'"],"frame-ancestors":["'none'"],"img-src":["'self'","data:"],"object-src":["'none'"],"script-src":["'self'"],"style-src":["'self'"],"style-src-attr":["'unsafe-inline'"]},"directiveOrder":["default-src","script-src","style-src","style-src-attr","img-src","font-src","connect-src","object-src","frame-ancestors","base-uri","form-action"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-inline'":"keyword-source","data:":"scheme-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self'; style-src 'self'; style-src-attr 'unsafe-inline'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data:;"],"stats":{"totalHigh":0,"totalMedium":1,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"style-src-attr","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"694e26d4ca32a360dfdb99a3","ts":"2025-12-26T06:10:28.865Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://nursing.hhnsystem.com/dashboard","isHidden":false,"parsedPolicy":{"policy":"Content-Security-Policy: default-src 'none'; script-src 'self' https://platform.twitter.com https://plausible.io https://utteranc.es https://cdnjs.cloudflare.com; style-src 'self' https://fonts.googleapis.com; img-src 'self' data: https://plausible.io https://avatars.githubusercontent.com; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://plausible.io; frame-src https://platform.twitter.com https://utteranc.es https://github.com https://www.youtube.com https://player.vimeo.com; media-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'; form-action 'self'; upgrade-insecure-requests; report-to csp-endpoint","directives":{"base-uri":["'self'"],"connect-src":["'self'","https://plausible.io"],"content-security-policy:":["default-src","'none'"],"font-src":["'self'","https://fonts.gstatic.com"],"form-action":["'self'"],"frame-ancestors":["'self'"],"frame-src":["https://github.com","https://platform.twitter.com","https://player.vimeo.com","https://utteranc.es","https://www.youtube.com"],"img-src":["'self'","data:","https://avatars.githubusercontent.com","https://plausible.io"],"media-src":["'self'"],"object-src":["'none'"],"report-to":["csp-endpoint"],"script-src":["'self'","https://cdnjs.cloudflare.com","https://platform.twitter.com","https://plausible.io","https://utteranc.es"],"style-src":["'self'","https://fonts.googleapis.com"],"upgrade-insecure-requests":[]},"directiveOrder":["content-security-policy:","script-src","style-src","img-src","font-src","connect-src","frame-src","media-src","object-src","base-uri","frame-ancestors","form-action","upgrade-insecure-requests","report-to"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","csp-endpoint":"host-source","data:":"scheme-source","default-src":"","https://avatars.githubusercontent.com":"host-source","https://cdnjs.cloudflare.com":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://github.com":"host-source","https://platform.twitter.com":"host-source","https://plausible.io":"host-source","https://player.vimeo.com":"host-source","https://utteranc.es":"host-source","https://www.youtube.com":"host-source"}},"disposition":"enforce","source":"header","policies":["script-src 'self' https://cdnjs.cloudflare.com https://platform.twitter.com https://plausible.io https://utteranc.es; style-src 'self' https://fonts.googleapis.com; object-src 'none'; base-uri 'self'; connect-src 'self' https://plausible.io; font-src 'self' https://fonts.gstatic.com; form-action 'self'; frame-ancestors 'self'; frame-src https://github.com https://platform.twitter.com https://player.vimeo.com https://utteranc.es https://www.youtube.com; img-src 'self' data: https://avatars.githubusercontent.com https://plausible.io; media-src 'self'; report-to csp-endpoint; upgrade-insecure-requests ;"],"stats":{"totalHigh":0,"totalMedium":4,"totalLow":2,"totalInfo":0},"recommendations":[{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdnjs.cloudflare.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://platform.twitter.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://plausible.io","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://utteranc.es","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"694e25c7ca32a360dfdb99a2","ts":"2025-12-26T06:05:59.121Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://nursing.hhnsystem.com/dashboard","isHidden":false,"parsedPolicy":{"policy":"Content-Security-Policy: default-src 'none'; script-src 'self' https://platform.twitter.com https://plausible.io https://utteranc.es https://cdnjs.cloudflare.com; style-src 'self' https://fonts.googleapis.com; img-src 'self' data: https://plausible.io https://avatars.githubusercontent.com; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://plausible.io; frame-src https://platform.twitter.com https://utteranc.es https://github.com https://www.youtube.com https://player.vimeo.com; media-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'; form-action 'self'; upgrade-insecure-requests; report-to csp-endpoint","directives":{"base-uri":["'self'"],"connect-src":["'self'","https://plausible.io"],"content-security-policy:":["default-src","'none'"],"font-src":["'self'","https://fonts.gstatic.com"],"form-action":["'self'"],"frame-ancestors":["'self'"],"frame-src":["https://github.com","https://platform.twitter.com","https://player.vimeo.com","https://utteranc.es","https://www.youtube.com"],"img-src":["'self'","data:","https://avatars.githubusercontent.com","https://plausible.io"],"media-src":["'self'"],"object-src":["'none'"],"report-to":["csp-endpoint"],"script-src":["'self'","https://cdnjs.cloudflare.com","https://platform.twitter.com","https://plausible.io","https://utteranc.es"],"style-src":["'self'","https://fonts.googleapis.com"],"upgrade-insecure-requests":[]},"directiveOrder":["content-security-policy:","script-src","style-src","img-src","font-src","connect-src","frame-src","media-src","object-src","base-uri","frame-ancestors","form-action","upgrade-insecure-requests","report-to"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","csp-endpoint":"host-source","data:":"scheme-source","default-src":"","https://avatars.githubusercontent.com":"host-source","https://cdnjs.cloudflare.com":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://github.com":"host-source","https://platform.twitter.com":"host-source","https://plausible.io":"host-source","https://player.vimeo.com":"host-source","https://utteranc.es":"host-source","https://www.youtube.com":"host-source"}},"disposition":"enforce","source":"header","policies":["script-src 'self' https://cdnjs.cloudflare.com https://platform.twitter.com https://plausible.io https://utteranc.es; style-src 'self' https://fonts.googleapis.com; object-src 'none'; base-uri 'self'; connect-src 'self' https://plausible.io; font-src 'self' https://fonts.gstatic.com; form-action 'self'; frame-ancestors 'self'; frame-src https://github.com https://platform.twitter.com https://player.vimeo.com https://utteranc.es https://www.youtube.com; img-src 'self' data: https://avatars.githubusercontent.com https://plausible.io; media-src 'self'; report-to csp-endpoint; upgrade-insecure-requests ;"],"stats":{"totalHigh":0,"totalMedium":4,"totalLow":2,"totalInfo":0},"recommendations":[{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdnjs.cloudflare.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://platform.twitter.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://plausible.io","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://utteranc.es","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"694e1bcd0f790b66efabe385","ts":"2025-12-26T05:23:25.07Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://payment.interview-zero-dev.com","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com; img-src 'self' data: blob:;  font-src 'self'  data: https://fonts.gstatic.com; connect-src 'self' data: https://*.interview-zero-dev.com ; media-src 'self' blob: https://*.interview-zero-dev.com; object-src 'none'; worker-src 'self' blob: ;  base-uri 'self'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests; report-uri https://payment-bff.interview-zero-dev.com/report","directives":{"base-uri":["'self'"],"connect-src":["'self'","data:","https://*.interview-zero-dev.com"],"default-src":["'self'"],"font-src":["'self'","data:","https://fonts.gstatic.com"],"form-action":["'self'"],"frame-ancestors":["'none'"],"img-src":["'self'","blob:","data:"],"media-src":["'self'","blob:","https://*.interview-zero-dev.com"],"object-src":["'none'"],"report-uri":["https://payment-bff.interview-zero-dev.com/report"],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'"],"style-src":["'self'","'unsafe-inline'","https://fonts.googleapis.com","https://fonts.gstatic.com"],"upgrade-insecure-requests":[],"worker-src":["'self'","blob:"]},"directiveOrder":["default-src","script-src","style-src","img-src","font-src","connect-src","media-src","object-src","worker-src","base-uri","form-action","frame-ancestors","upgrade-insecure-requests","report-uri"],"disposition":"report","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","blob:":"scheme-source","data:":"scheme-source","https://*.interview-zero-dev.com":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://payment-bff.interview-zero-dev.com/report":"host-source"}},"disposition":"report","source":"header","policies":["default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com; object-src 'none'; base-uri 'self'; connect-src 'self' data: https://*.interview-zero-dev.com; font-src 'self' data: https://fonts.gstatic.com; form-action 'self'; frame-ancestors 'none'; img-src 'self' blob: data:; media-src 'self' blob: https://*.interview-zero-dev.com; report-uri https://payment-bff.interview-zero-dev.com/report; upgrade-insecure-requests ; worker-src 'self' blob:;"],"stats":{"totalHigh":1,"totalMedium":1,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"694d56ce0f790b66efabe377","ts":"2025-12-25T15:22:54.381Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://creativeelectronicsandwires.com/","isHidden":false,"parsedPolicy":{"policy":"script-src 'self' https://apis.google.com;object-src 'none';base-uri 'self';frame-ancestors 'none';","directives":{"base-uri":["'self'"],"frame-ancestors":["'none'"],"object-src":["'none'"],"script-src":["'self'","https://apis.google.com"]},"directiveOrder":["script-src","object-src","base-uri","frame-ancestors"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","https://apis.google.com":"host-source"}},"disposition":"enforce","source":"header","policies":["script-src 'self' https://apis.google.com; object-src 'none'; base-uri 'self'; frame-ancestors 'none';"],"stats":{"totalHigh":0,"totalMedium":2,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://apis.google.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"694d566cca32a360dfdb998c","ts":"2025-12-25T15:21:16.342Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://creativeelectronicsandwires.com/","isHidden":false,"parsedPolicy":{"policy":"script-src 'self' https://apis.google.com;object-src 'none';base-uri 'self';","directives":{"base-uri":["'self'"],"object-src":["'none'"],"script-src":["'self'","https://apis.google.com"]},"directiveOrder":["script-src","object-src","base-uri"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","https://apis.google.com":"host-source"}},"disposition":"enforce","source":"header","policies":["script-src 'self' https://apis.google.com; object-src 'none'; base-uri 'self';"],"stats":{"totalHigh":0,"totalMedium":2,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://apis.google.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"694d56390f790b66efabe376","ts":"2025-12-25T15:20:25.986Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://creativeelectronicsandwires.com/","isHidden":false,"parsedPolicy":{"policy":"script-src 'self' https://apis.google.com;object-src 'none';","directives":{"object-src":["'none'"],"script-src":["'self'","https://apis.google.com"]},"directiveOrder":["script-src","object-src"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","https://apis.google.com":"host-source"}},"disposition":"enforce","source":"header","policies":["script-src 'self' https://apis.google.com; object-src 'none';"],"stats":{"totalHigh":0,"totalMedium":3,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://apis.google.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"694d5604ca32a360dfdb998b","ts":"2025-12-25T15:19:32.104Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://creativeelectronicsandwires.com/","isHidden":false,"parsedPolicy":{"policy":"script-src 'self' https://apis.google.com;","directives":{"script-src":["'self'","https://apis.google.com"]},"directiveOrder":["script-src"],"disposition":"enforce","delivery":"header","sourceMapping":{"'self'":"keyword-source","https://apis.google.com":"host-source"}},"disposition":"enforce","source":"header","policies":["script-src 'self' https://apis.google.com;"],"stats":{"totalHigh":1,"totalMedium":3,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://apis.google.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"694d55600f790b66efabe375","ts":"2025-12-25T15:16:48.823Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://creativeelectronicsandwires.com/","isHidden":false,"parsedPolicy":{"policy":"upgrade-insecure-requests;","directives":{"upgrade-insecure-requests":[]},"directiveOrder":["upgrade-insecure-requests"],"disposition":"enforce","delivery":"header","sourceMapping":{}},"disposition":"enforce","source":"header","policies":["upgrade-insecure-requests ;"],"stats":{"totalHigh":2,"totalMedium":2,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing script-src (no default src)","severity":"HIGH","directive":"script","source":"","message":"script-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set script-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"694d3cfdca32a360dfdb997d","ts":"2025-12-25T13:32:45.051Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://just-do.it.com/checkout/","isHidden":false,"parsedPolicy":{"policy":"font-src www.paypalobjects.com fonts.gstatic.com use.typekit.net *.typekit.net *.gstatic.com data: 'self' 'unsafe-inline'; form-action geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com pilot-payflowlink.paypal.com www.paypal.com www.sandbox.paypal.com *.paypal.com *.cardinalcommerce.com 3ds-secure.cardcomplete.com www.clicksafe.lloydstsb.com pay.activa-card.com *.wirecard.com acs.sia.eu *.touchtechpayments.com www.securesuite.co.uk rsa3dsauth.com *.monzo.com *.arcot.com *.wlp-acs.com * 'self' 'unsafe-inline'; frame-ancestors 'self'; frame-src fast.amc.demdex.net *.adobe.com bid.g.doubleclick.net *.youtube.com *.youtube-nocookie.com geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com www.paypal.com www.sandbox.paypal.com pilot-payflowlink.paypal.com www.paypalobjects.com player.vimeo.com https://www.google.com/recaptcha/ *.braintreegateway.com *.paypal.com google.com *.google.com c.paypal.com checkout.paypal.com assets.braintreegateway.com pay.google.com *.cardinalcommerce.com * 'self' 'unsafe-inline'; img-src data: assets.adobedtm.com amcglobal.sc.omtrdc.net dpm.demdex.net cm.everesttech.net *.adobe.com widgets.magentocommerce.com www.googleadservices.com *.google-analytics.com googleads.g.doubleclick.net www.google.com bid.g.doubleclick.net *.analytics.google.com www.googletagmanager.com *.ftcdn.net *.behance.net t.paypal.com www.paypal.com www.paypalobjects.com fpdbs.paypal.com fpdbs.sandbox.paypal.com *.vimeocdn.com i.ytimg.com *.youtube.com p.typekit.net *.paypal.com *.typekit.net *.gstatic.com validator.swagger.io www.sandbox.paypal.com b.stats.paypal.com dub.stats.paypal.com assets.braintreegateway.com c.paypal.com checkout.paypal.com data: 'self' 'unsafe-inline'; script-src assets.adobedtm.com *.adobe.com www.googleadservices.com www.google-analytics.com googleads.g.doubleclick.net analytics.google.com www.googletagmanager.com *.newrelic.com *.nr-data.net geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com *.commerce-payment-services.com www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com www.googleapis.com vimeo.com www.vimeo.com *.vimeocdn.com *.youtube.com https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ amcglobal.sc.omtrdc.net *.magento-ds.com use.typekit.net *.typekit.net google.com *.google.com *.cdn-apple.com *.braintreegateway.com js.braintreegateway.com assets.braintreegateway.com c.paypal.com pay.google.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.paypal.com songbirdstag.cardinalcommerce.com 'self' 'unsafe-inline' 'unsafe-eval'; style-src *.adobe.com fonts.googleapis.com assets.braintreegateway.com 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; media-src *.adobe.com 'self' 'unsafe-inline'; manifest-src 'self' 'unsafe-inline'; connect-src dpm.demdex.net amcglobal.sc.omtrdc.net *.google-analytics.com www.googleadservices.com *.analytics.google.com www.googletagmanager.com *.newrelic.com *.nr-data.net vimeo.com geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com www.sandbox.paypal.com www.paypalobjects.com www.paypal.com pilot-payflowlink.paypal.com *.adobe.io performance.typekit.net *.sentry.io *.paypal.com google.com *.google.com *.braintreegateway.com *.braintree-api.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.cardinalcommerce.com 'self' 'unsafe-inline'; child-src assets.braintreegateway.com c.paypal.com *.paypal.com http: https: blob: 'self' 'unsafe-inline'; default-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self' 'unsafe-inline';","directives":{"base-uri":["'self'","'unsafe-inline'"],"child-src":["'self'","'unsafe-inline'","*.paypal.com","assets.braintreegateway.com","blob:","c.paypal.com","http:","https:"],"connect-src":["'self'","'unsafe-inline'","*.adobe.io","*.analytics.google.com","*.braintree-api.com","*.braintreegateway.com","*.cardinalcommerce.com","*.google-analytics.com","*.google.com","*.newrelic.com","*.nr-data.net","*.paypal.com","*.sentry.io","1eaf.cardinalcommerce.com","1eafstag.cardinalcommerce.com","amcglobal.sc.omtrdc.net","api.braintreegateway.com","api.sandbox.braintreegateway.com","centinelapi.cardinalcommerce.com","centinelapistag.cardinalcommerce.com","client-analytics.braintreegateway.com","client-analytics.sandbox.braintreegateway.com","dpm.demdex.net","geo.cardinalcommerce.com","geostag.cardinalcommerce.com","google.com","performance.typekit.net","pilot-payflowlink.paypal.com","vimeo.com","www.googleadservices.com","www.googletagmanager.com","www.paypal.com","www.paypalobjects.com","www.sandbox.paypal.com"],"default-src":["'self'","'unsafe-eval'","'unsafe-inline'"],"font-src":["'self'","'unsafe-inline'","*.gstatic.com","*.typekit.net","data:","fonts.gstatic.com","use.typekit.net","www.paypalobjects.com"],"form-action":["'self'","'unsafe-inline'","*","*.arcot.com","*.cardinalcommerce.com","*.monzo.com","*.paypal.com","*.touchtechpayments.com","*.wirecard.com","*.wlp-acs.com","1eaf.cardinalcommerce.com","1eafstag.cardinalcommerce.com","3ds-secure.cardcomplete.com","acs.sia.eu","centinelapi.cardinalcommerce.com","centinelapistag.cardinalcommerce.com","geo.cardinalcommerce.com","geostag.cardinalcommerce.com","pay.activa-card.com","pilot-payflowlink.paypal.com","rsa3dsauth.com","www.clicksafe.lloydstsb.com","www.paypal.com","www.sandbox.paypal.com","www.securesuite.co.uk"],"frame-ancestors":["'self'"],"frame-src":["'self'","'unsafe-inline'","*","*.adobe.com","*.braintreegateway.com","*.cardinalcommerce.com","*.google.com","*.paypal.com","*.youtube-nocookie.com","*.youtube.com","1eaf.cardinalcommerce.com","1eafstag.cardinalcommerce.com","assets.braintreegateway.com","bid.g.doubleclick.net","c.paypal.com","centinelapi.cardinalcommerce.com","centinelapistag.cardinalcommerce.com","checkout.paypal.com","fast.amc.demdex.net","geo.cardinalcommerce.com","geostag.cardinalcommerce.com","google.com","https://www.google.com/recaptcha/","pay.google.com","pilot-payflowlink.paypal.com","player.vimeo.com","www.paypal.com","www.paypalobjects.com","www.sandbox.paypal.com"],"img-src":["'self'","'unsafe-inline'","*.adobe.com","*.analytics.google.com","*.behance.net","*.ftcdn.net","*.google-analytics.com","*.gstatic.com","*.paypal.com","*.typekit.net","*.vimeocdn.com","*.youtube.com","amcglobal.sc.omtrdc.net","assets.adobedtm.com","assets.braintreegateway.com","b.stats.paypal.com","bid.g.doubleclick.net","c.paypal.com","checkout.paypal.com","cm.everesttech.net","data:","data:","dpm.demdex.net","dub.stats.paypal.com","fpdbs.paypal.com","fpdbs.sandbox.paypal.com","googleads.g.doubleclick.net","i.ytimg.com","p.typekit.net","t.paypal.com","validator.swagger.io","widgets.magentocommerce.com","www.google.com","www.googleadservices.com","www.googletagmanager.com","www.paypal.com","www.paypalobjects.com","www.sandbox.paypal.com"],"manifest-src":["'self'","'unsafe-inline'"],"media-src":["'self'","'unsafe-inline'","*.adobe.com"],"object-src":["'self'","'unsafe-inline'"],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'","*.adobe.com","*.braintreegateway.com","*.cdn-apple.com","*.commerce-payment-services.com","*.google.com","*.magento-ds.com","*.newrelic.com","*.nr-data.net","*.paypal.com","*.typekit.net","*.vimeocdn.com","*.youtube.com","1eafapi.cardinalcommerce.com","1eafstag.cardinalcommerce.com","amcglobal.sc.omtrdc.net","analytics.google.com","api.braintreegateway.com","api.sandbox.braintreegateway.com","assets.adobedtm.com","assets.braintreegateway.com","c.paypal.com","client-analytics.braintreegateway.com","client-analytics.sandbox.braintreegateway.com","geoapi.cardinalcommerce.com","geostag.cardinalcommerce.com","google.com","googleads.g.doubleclick.net","https://www.google.com/recaptcha/","https://www.gstatic.com/recaptcha/","includestest.ccdc02.com","js.braintreegateway.com","pay.google.com","s.ytimg.com","songbird.cardinalcommerce.com","songbirdstag.cardinalcommerce.com","t.paypal.com","use.typekit.net","vimeo.com","www.google-analytics.com","www.googleadservices.com","www.googleapis.com","www.googletagmanager.com","www.paypal.com","www.paypalobjects.com","www.sandbox.paypal.com","www.vimeo.com"],"style-src":["'self'","'unsafe-inline'","*.adobe.com","assets.braintreegateway.com","fonts.googleapis.com"]},"directiveOrder":["font-src","form-action","frame-ancestors","frame-src","img-src","script-src","style-src","object-src","media-src","manifest-src","connect-src","child-src","default-src","base-uri"],"disposition":"report","delivery":"header","sourceMapping":{"'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","*":"host-source","*.adobe.com":"host-source","*.adobe.io":"host-source","*.analytics.google.com":"host-source","*.arcot.com":"host-source","*.behance.net":"host-source","*.braintree-api.com":"host-source","*.braintreegateway.com":"host-source","*.cardinalcommerce.com":"host-source","*.cdn-apple.com":"host-source","*.commerce-payment-services.com":"host-source","*.ftcdn.net":"host-source","*.google-analytics.com":"host-source","*.google.com":"host-source","*.gstatic.com":"host-source","*.magento-ds.com":"host-source","*.monzo.com":"host-source","*.newrelic.com":"host-source","*.nr-data.net":"host-source","*.paypal.com":"host-source","*.sentry.io":"host-source","*.touchtechpayments.com":"host-source","*.typekit.net":"host-source","*.vimeocdn.com":"host-source","*.wirecard.com":"host-source","*.wlp-acs.com":"host-source","*.youtube-nocookie.com":"host-source","*.youtube.com":"host-source","1eaf.cardinalcommerce.com":"host-source","1eafapi.cardinalcommerce.com":"host-source","1eafstag.cardinalcommerce.com":"host-source","3ds-secure.cardcomplete.com":"host-source","acs.sia.eu":"host-source","amcglobal.sc.omtrdc.net":"host-source","analytics.google.com":"host-source","api.braintreegateway.com":"host-source","api.sandbox.braintreegateway.com":"host-source","assets.adobedtm.com":"host-source","assets.braintreegateway.com":"host-source","b.stats.paypal.com":"host-source","bid.g.doubleclick.net":"host-source","blob:":"scheme-source","c.paypal.com":"host-source","centinelapi.cardinalcommerce.com":"host-source","centinelapistag.cardinalcommerce.com":"host-source","checkout.paypal.com":"host-source","client-analytics.braintreegateway.com":"host-source","client-analytics.sandbox.braintreegateway.com":"host-source","cm.everesttech.net":"host-source","data:":"scheme-source","dpm.demdex.net":"host-source","dub.stats.paypal.com":"host-source","fast.amc.demdex.net":"host-source","fonts.googleapis.com":"host-source","fonts.gstatic.com":"host-source","fpdbs.paypal.com":"host-source","fpdbs.sandbox.paypal.com":"host-source","geo.cardinalcommerce.com":"host-source","geoapi.cardinalcommerce.com":"host-source","geostag.cardinalcommerce.com":"host-source","google.com":"host-source","googleads.g.doubleclick.net":"host-source","http:":"scheme-source","https:":"scheme-source","https://www.google.com/recaptcha/":"host-source","https://www.gstatic.com/recaptcha/":"host-source","i.ytimg.com":"host-source","includestest.ccdc02.com":"host-source","js.braintreegateway.com":"host-source","p.typekit.net":"host-source","pay.activa-card.com":"host-source","pay.google.com":"host-source","performance.typekit.net":"host-source","pilot-payflowlink.paypal.com":"host-source","player.vimeo.com":"host-source","rsa3dsauth.com":"host-source","s.ytimg.com":"host-source","songbird.cardinalcommerce.com":"host-source","songbirdstag.cardinalcommerce.com":"host-source","t.paypal.com":"host-source","use.typekit.net":"host-source","validator.swagger.io":"host-source","vimeo.com":"host-source","widgets.magentocommerce.com":"host-source","www.clicksafe.lloydstsb.com":"host-source","www.google-analytics.com":"host-source","www.google.com":"host-source","www.googleadservices.com":"host-source","www.googleapis.com":"host-source","www.googletagmanager.com":"host-source","www.paypal.com":"host-source","www.paypalobjects.com":"host-source","www.sandbox.paypal.com":"host-source","www.securesuite.co.uk":"host-source","www.vimeo.com":"host-source"}},"disposition":"report","source":"header","policies":["default-src 'self' 'unsafe-eval' 'unsafe-inline'; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.adobe.com *.braintreegateway.com *.cdn-apple.com *.commerce-payment-services.com *.google.com *.magento-ds.com *.newrelic.com *.nr-data.net *.paypal.com *.typekit.net *.vimeocdn.com *.youtube.com 1eafapi.cardinalcommerce.com 1eafstag.cardinalcommerce.com amcglobal.sc.omtrdc.net analytics.google.com api.braintreegateway.com api.sandbox.braintreegateway.com assets.adobedtm.com assets.braintreegateway.com c.paypal.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com geoapi.cardinalcommerce.com geostag.cardinalcommerce.com google.com googleads.g.doubleclick.net https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ includestest.ccdc02.com js.braintreegateway.com pay.google.com s.ytimg.com songbird.cardinalcommerce.com songbirdstag.cardinalcommerce.com t.paypal.com use.typekit.net vimeo.com www.google-analytics.com www.googleadservices.com www.googleapis.com www.googletagmanager.com www.paypal.com www.paypalobjects.com www.sandbox.paypal.com www.vimeo.com; style-src 'self' 'unsafe-inline' *.adobe.com assets.braintreegateway.com fonts.googleapis.com; object-src 'self' 'unsafe-inline'; base-uri 'self' 'unsafe-inline'; child-src 'self' 'unsafe-inline' *.paypal.com assets.braintreegateway.com blob: c.paypal.com http: https:; connect-src 'self' 'unsafe-inline' *.adobe.io *.analytics.google.com *.braintree-api.com *.braintreegateway.com *.cardinalcommerce.com *.google-analytics.com *.google.com *.newrelic.com *.nr-data.net *.paypal.com *.sentry.io 1eaf.cardinalcommerce.com 1eafstag.cardinalcommerce.com amcglobal.sc.omtrdc.net api.braintreegateway.com api.sandbox.braintreegateway.com centinelapi.cardinalcommerce.com centinelapistag.cardinalcommerce.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com dpm.demdex.net geo.cardinalcommerce.com geostag.cardinalcommerce.com google.com performance.typekit.net pilot-payflowlink.paypal.com vimeo.com www.googleadservices.com www.googletagmanager.com www.paypal.com www.paypalobjects.com www.sandbox.paypal.com; font-src 'self' 'unsafe-inline' *.gstatic.com *.typekit.net data: fonts.gstatic.com use.typekit.net www.paypalobjects.com; form-action 'self' 'unsafe-inline' * *.arcot.com *.cardinalcommerce.com *.monzo.com *.paypal.com *.touchtechpayments.com *.wirecard.com *.wlp-acs.com 1eaf.cardinalcommerce.com 1eafstag.cardinalcommerce.com 3ds-secure.cardcomplete.com acs.sia.eu centinelapi.cardinalcommerce.com centinelapistag.cardinalcommerce.com geo.cardinalcommerce.com geostag.cardinalcommerce.com pay.activa-card.com pilot-payflowlink.paypal.com rsa3dsauth.com www.clicksafe.lloydstsb.com www.paypal.com www.sandbox.paypal.com www.securesuite.co.uk; frame-ancestors 'self'; frame-src 'self' 'unsafe-inline' * *.adobe.com *.braintreegateway.com *.cardinalcommerce.com *.google.com *.paypal.com *.youtube-nocookie.com *.youtube.com 1eaf.cardinalcommerce.com 1eafstag.cardinalcommerce.com assets.braintreegateway.com bid.g.doubleclick.net c.paypal.com centinelapi.cardinalcommerce.com centinelapistag.cardinalcommerce.com checkout.paypal.com fast.amc.demdex.net geo.cardinalcommerce.com geostag.cardinalcommerce.com google.com https://www.google.com/recaptcha/ pay.google.com pilot-payflowlink.paypal.com player.vimeo.com www.paypal.com www.paypalobjects.com www.sandbox.paypal.com; img-src 'self' 'unsafe-inline' *.adobe.com *.analytics.google.com *.behance.net *.ftcdn.net *.google-analytics.com *.gstatic.com *.paypal.com *.typekit.net *.vimeocdn.com *.youtube.com amcglobal.sc.omtrdc.net assets.adobedtm.com assets.braintreegateway.com b.stats.paypal.com bid.g.doubleclick.net c.paypal.com checkout.paypal.com cm.everesttech.net data: dpm.demdex.net dub.stats.paypal.com fpdbs.paypal.com fpdbs.sandbox.paypal.com googleads.g.doubleclick.net i.ytimg.com p.typekit.net t.paypal.com validator.swagger.io widgets.magentocommerce.com www.google.com www.googleadservices.com www.googletagmanager.com www.paypal.com www.paypalobjects.com www.sandbox.paypal.com; manifest-src 'self' 'unsafe-inline'; media-src 'self' 'unsafe-inline' *.adobe.com;"],"stats":{"totalHigh":1,"totalMedium":47,"totalLow":27,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"includestest.ccdc02.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"googleads.g.doubleclick.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.braintreegateway.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.cdn-apple.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Non-encrypted loading of external assets (http: / ws:)","severity":"MEDIUM","directive":"child-src","source":"http:","message":"Allowing content over insecure channels can allow allow snooping and tampering of data","recommendation":"Ensure that all content is loaded over secure channels. Remove http: and ws:","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.vimeo.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.sandbox.paypal.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.paypalobjects.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.paypal.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"js.braintreegateway.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.commerce-payment-services.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.google.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.magento-ds.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.newrelic.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.nr-data.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.paypal.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.typekit.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.vimeocdn.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.youtube.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"1eafapi.cardinalcommerce.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"1eafstag.cardinalcommerce.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"amcglobal.sc.omtrdc.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"analytics.google.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"api.braintreegateway.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"api.sandbox.braintreegateway.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"assets.adobedtm.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"assets.braintreegateway.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"c.paypal.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"client-analytics.braintreegateway.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"client-analytics.sandbox.braintreegateway.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"geoapi.cardinalcommerce.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"geostag.cardinalcommerce.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"google.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"s.ytimg.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.googletagmanager.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.googleapis.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.adobe.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"songbird.cardinalcommerce.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"songbirdstag.cardinalcommerce.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"t.paypal.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"use.typekit.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"vimeo.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.google-analytics.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.googleadservices.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"pay.google.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.paypal.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.youtube.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"font-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.monzo.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"child-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"base-uri","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"object-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"img-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"manifest-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"media-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.paypal.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"form-action","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.arcot.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"frame-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.touchtechpayments.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.wirecard.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.wlp-acs.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.adobe.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.braintreegateway.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.cardinalcommerce.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.google.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.cardinalcommerce.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.youtube-nocookie.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"connect-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"694d3bf4ca32a360dfdb997c","ts":"2025-12-25T13:28:20.379Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://uvnexus.com","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; img-src 'self' data: https:; script-src 'self' 'unsafe-inline' https:; style-src 'self' 'unsafe-inline' https:; font-src 'self' https: data:;","directives":{"default-src":["'self'"],"font-src":["'self'","data:","https:"],"img-src":["'self'","data:","https:"],"script-src":["'self'","'unsafe-inline'","https:"],"style-src":["'self'","'unsafe-inline'","https:"]},"directiveOrder":["default-src","img-src","script-src","style-src","font-src"],"disposition":"enforce","delivery":"header","sourceMapping":{"'self'":"keyword-source","'unsafe-inline'":"keyword-source","data:":"scheme-source","https:":"scheme-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self' 'unsafe-inline' https:; style-src 'self' 'unsafe-inline' https:; font-src 'self' data: https:; img-src 'self' data: https:;"],"stats":{"totalHigh":2,"totalMedium":3,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of permissive scheme-source in sensitive directive","severity":"HIGH","directive":"script-src","source":"https:","message":"Using an unsafe scheme/source in a sensitive directive bypasses the primary benefit of CSP.","recommendation":"Remove the unsafe source/scheme","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing object-src (with non-restrictive default-src)","severity":"MEDIUM","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"694d2d2dca32a360dfdb997b","ts":"2025-12-25T12:25:17.703Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://just-do.it.com/checkout/","isHidden":false,"parsedPolicy":{"policy":"font-src www.paypalobjects.com fonts.gstatic.com use.typekit.net *.typekit.net *.gstatic.com data: 'self' 'unsafe-inline'; form-action geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com pilot-payflowlink.paypal.com www.paypal.com www.sandbox.paypal.com *.paypal.com *.cardinalcommerce.com 3ds-secure.cardcomplete.com www.clicksafe.lloydstsb.com pay.activa-card.com *.wirecard.com acs.sia.eu *.touchtechpayments.com www.securesuite.co.uk rsa3dsauth.com *.monzo.com *.arcot.com *.wlp-acs.com * 'self' 'unsafe-inline'; frame-ancestors 'self'; frame-src fast.amc.demdex.net *.adobe.com bid.g.doubleclick.net *.youtube.com *.youtube-nocookie.com geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com www.paypal.com www.sandbox.paypal.com pilot-payflowlink.paypal.com www.paypalobjects.com player.vimeo.com https://www.google.com/recaptcha/ *.braintreegateway.com *.paypal.com google.com *.google.com c.paypal.com checkout.paypal.com assets.braintreegateway.com pay.google.com *.cardinalcommerce.com * 'self' 'unsafe-inline'; img-src data: assets.adobedtm.com amcglobal.sc.omtrdc.net dpm.demdex.net cm.everesttech.net *.adobe.com widgets.magentocommerce.com www.googleadservices.com *.google-analytics.com googleads.g.doubleclick.net www.google.com bid.g.doubleclick.net *.analytics.google.com www.googletagmanager.com *.ftcdn.net *.behance.net t.paypal.com www.paypal.com www.paypalobjects.com fpdbs.paypal.com fpdbs.sandbox.paypal.com *.vimeocdn.com i.ytimg.com *.youtube.com p.typekit.net *.paypal.com *.typekit.net *.gstatic.com validator.swagger.io www.sandbox.paypal.com b.stats.paypal.com dub.stats.paypal.com assets.braintreegateway.com c.paypal.com checkout.paypal.com data: 'self' 'unsafe-inline'; script-src assets.adobedtm.com *.adobe.com www.googleadservices.com www.google-analytics.com googleads.g.doubleclick.net analytics.google.com www.googletagmanager.com *.newrelic.com *.nr-data.net geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com *.commerce-payment-services.com www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com www.googleapis.com vimeo.com www.vimeo.com *.vimeocdn.com *.youtube.com https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ amcglobal.sc.omtrdc.net *.magento-ds.com use.typekit.net *.typekit.net google.com *.google.com *.cdn-apple.com *.braintreegateway.com js.braintreegateway.com assets.braintreegateway.com c.paypal.com pay.google.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.paypal.com songbirdstag.cardinalcommerce.com 'self' 'unsafe-inline' 'unsafe-eval'; style-src *.adobe.com fonts.googleapis.com assets.braintreegateway.com 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; media-src *.adobe.com 'self' 'unsafe-inline'; manifest-src 'self' 'unsafe-inline'; connect-src dpm.demdex.net amcglobal.sc.omtrdc.net *.google-analytics.com www.googleadservices.com *.analytics.google.com www.googletagmanager.com *.newrelic.com *.nr-data.net vimeo.com geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com www.sandbox.paypal.com www.paypalobjects.com www.paypal.com pilot-payflowlink.paypal.com *.adobe.io performance.typekit.net *.sentry.io *.paypal.com google.com *.google.com *.braintreegateway.com *.braintree-api.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.cardinalcommerce.com 'self' 'unsafe-inline'; child-src assets.braintreegateway.com c.paypal.com *.paypal.com http: https: blob: 'self' 'unsafe-inline'; default-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self' 'unsafe-inline';","directives":{"base-uri":["'self'","'unsafe-inline'"],"child-src":["'self'","'unsafe-inline'","*.paypal.com","assets.braintreegateway.com","blob:","c.paypal.com","http:","https:"],"connect-src":["'self'","'unsafe-inline'","*.adobe.io","*.analytics.google.com","*.braintree-api.com","*.braintreegateway.com","*.cardinalcommerce.com","*.google-analytics.com","*.google.com","*.newrelic.com","*.nr-data.net","*.paypal.com","*.sentry.io","1eaf.cardinalcommerce.com","1eafstag.cardinalcommerce.com","amcglobal.sc.omtrdc.net","api.braintreegateway.com","api.sandbox.braintreegateway.com","centinelapi.cardinalcommerce.com","centinelapistag.cardinalcommerce.com","client-analytics.braintreegateway.com","client-analytics.sandbox.braintreegateway.com","dpm.demdex.net","geo.cardinalcommerce.com","geostag.cardinalcommerce.com","google.com","performance.typekit.net","pilot-payflowlink.paypal.com","vimeo.com","www.googleadservices.com","www.googletagmanager.com","www.paypal.com","www.paypalobjects.com","www.sandbox.paypal.com"],"default-src":["'self'","'unsafe-eval'","'unsafe-inline'"],"font-src":["'self'","'unsafe-inline'","*.gstatic.com","*.typekit.net","data:","fonts.gstatic.com","use.typekit.net","www.paypalobjects.com"],"form-action":["'self'","'unsafe-inline'","*","*.arcot.com","*.cardinalcommerce.com","*.monzo.com","*.paypal.com","*.touchtechpayments.com","*.wirecard.com","*.wlp-acs.com","1eaf.cardinalcommerce.com","1eafstag.cardinalcommerce.com","3ds-secure.cardcomplete.com","acs.sia.eu","centinelapi.cardinalcommerce.com","centinelapistag.cardinalcommerce.com","geo.cardinalcommerce.com","geostag.cardinalcommerce.com","pay.activa-card.com","pilot-payflowlink.paypal.com","rsa3dsauth.com","www.clicksafe.lloydstsb.com","www.paypal.com","www.sandbox.paypal.com","www.securesuite.co.uk"],"frame-ancestors":["'self'"],"frame-src":["'self'","'unsafe-inline'","*","*.adobe.com","*.braintreegateway.com","*.cardinalcommerce.com","*.google.com","*.paypal.com","*.youtube-nocookie.com","*.youtube.com","1eaf.cardinalcommerce.com","1eafstag.cardinalcommerce.com","assets.braintreegateway.com","bid.g.doubleclick.net","c.paypal.com","centinelapi.cardinalcommerce.com","centinelapistag.cardinalcommerce.com","checkout.paypal.com","fast.amc.demdex.net","geo.cardinalcommerce.com","geostag.cardinalcommerce.com","google.com","https://www.google.com/recaptcha/","pay.google.com","pilot-payflowlink.paypal.com","player.vimeo.com","www.paypal.com","www.paypalobjects.com","www.sandbox.paypal.com"],"img-src":["'self'","'unsafe-inline'","*.adobe.com","*.analytics.google.com","*.behance.net","*.ftcdn.net","*.google-analytics.com","*.gstatic.com","*.paypal.com","*.typekit.net","*.vimeocdn.com","*.youtube.com","amcglobal.sc.omtrdc.net","assets.adobedtm.com","assets.braintreegateway.com","b.stats.paypal.com","bid.g.doubleclick.net","c.paypal.com","checkout.paypal.com","cm.everesttech.net","data:","data:","dpm.demdex.net","dub.stats.paypal.com","fpdbs.paypal.com","fpdbs.sandbox.paypal.com","googleads.g.doubleclick.net","i.ytimg.com","p.typekit.net","t.paypal.com","validator.swagger.io","widgets.magentocommerce.com","www.google.com","www.googleadservices.com","www.googletagmanager.com","www.paypal.com","www.paypalobjects.com","www.sandbox.paypal.com"],"manifest-src":["'self'","'unsafe-inline'"],"media-src":["'self'","'unsafe-inline'","*.adobe.com"],"object-src":["'self'","'unsafe-inline'"],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'","*.adobe.com","*.braintreegateway.com","*.cdn-apple.com","*.commerce-payment-services.com","*.google.com","*.magento-ds.com","*.newrelic.com","*.nr-data.net","*.paypal.com","*.typekit.net","*.vimeocdn.com","*.youtube.com","1eafapi.cardinalcommerce.com","1eafstag.cardinalcommerce.com","amcglobal.sc.omtrdc.net","analytics.google.com","api.braintreegateway.com","api.sandbox.braintreegateway.com","assets.adobedtm.com","assets.braintreegateway.com","c.paypal.com","client-analytics.braintreegateway.com","client-analytics.sandbox.braintreegateway.com","geoapi.cardinalcommerce.com","geostag.cardinalcommerce.com","google.com","googleads.g.doubleclick.net","https://www.google.com/recaptcha/","https://www.gstatic.com/recaptcha/","includestest.ccdc02.com","js.braintreegateway.com","pay.google.com","s.ytimg.com","songbird.cardinalcommerce.com","songbirdstag.cardinalcommerce.com","t.paypal.com","use.typekit.net","vimeo.com","www.google-analytics.com","www.googleadservices.com","www.googleapis.com","www.googletagmanager.com","www.paypal.com","www.paypalobjects.com","www.sandbox.paypal.com","www.vimeo.com"],"style-src":["'self'","'unsafe-inline'","*.adobe.com","assets.braintreegateway.com","fonts.googleapis.com"]},"directiveOrder":["font-src","form-action","frame-ancestors","frame-src","img-src","script-src","style-src","object-src","media-src","manifest-src","connect-src","child-src","default-src","base-uri"],"disposition":"report","delivery":"header","sourceMapping":{"'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","*":"host-source","*.adobe.com":"host-source","*.adobe.io":"host-source","*.analytics.google.com":"host-source","*.arcot.com":"host-source","*.behance.net":"host-source","*.braintree-api.com":"host-source","*.braintreegateway.com":"host-source","*.cardinalcommerce.com":"host-source","*.cdn-apple.com":"host-source","*.commerce-payment-services.com":"host-source","*.ftcdn.net":"host-source","*.google-analytics.com":"host-source","*.google.com":"host-source","*.gstatic.com":"host-source","*.magento-ds.com":"host-source","*.monzo.com":"host-source","*.newrelic.com":"host-source","*.nr-data.net":"host-source","*.paypal.com":"host-source","*.sentry.io":"host-source","*.touchtechpayments.com":"host-source","*.typekit.net":"host-source","*.vimeocdn.com":"host-source","*.wirecard.com":"host-source","*.wlp-acs.com":"host-source","*.youtube-nocookie.com":"host-source","*.youtube.com":"host-source","1eaf.cardinalcommerce.com":"host-source","1eafapi.cardinalcommerce.com":"host-source","1eafstag.cardinalcommerce.com":"host-source","3ds-secure.cardcomplete.com":"host-source","acs.sia.eu":"host-source","amcglobal.sc.omtrdc.net":"host-source","analytics.google.com":"host-source","api.braintreegateway.com":"host-source","api.sandbox.braintreegateway.com":"host-source","assets.adobedtm.com":"host-source","assets.braintreegateway.com":"host-source","b.stats.paypal.com":"host-source","bid.g.doubleclick.net":"host-source","blob:":"scheme-source","c.paypal.com":"host-source","centinelapi.cardinalcommerce.com":"host-source","centinelapistag.cardinalcommerce.com":"host-source","checkout.paypal.com":"host-source","client-analytics.braintreegateway.com":"host-source","client-analytics.sandbox.braintreegateway.com":"host-source","cm.everesttech.net":"host-source","data:":"scheme-source","dpm.demdex.net":"host-source","dub.stats.paypal.com":"host-source","fast.amc.demdex.net":"host-source","fonts.googleapis.com":"host-source","fonts.gstatic.com":"host-source","fpdbs.paypal.com":"host-source","fpdbs.sandbox.paypal.com":"host-source","geo.cardinalcommerce.com":"host-source","geoapi.cardinalcommerce.com":"host-source","geostag.cardinalcommerce.com":"host-source","google.com":"host-source","googleads.g.doubleclick.net":"host-source","http:":"scheme-source","https:":"scheme-source","https://www.google.com/recaptcha/":"host-source","https://www.gstatic.com/recaptcha/":"host-source","i.ytimg.com":"host-source","includestest.ccdc02.com":"host-source","js.braintreegateway.com":"host-source","p.typekit.net":"host-source","pay.activa-card.com":"host-source","pay.google.com":"host-source","performance.typekit.net":"host-source","pilot-payflowlink.paypal.com":"host-source","player.vimeo.com":"host-source","rsa3dsauth.com":"host-source","s.ytimg.com":"host-source","songbird.cardinalcommerce.com":"host-source","songbirdstag.cardinalcommerce.com":"host-source","t.paypal.com":"host-source","use.typekit.net":"host-source","validator.swagger.io":"host-source","vimeo.com":"host-source","widgets.magentocommerce.com":"host-source","www.clicksafe.lloydstsb.com":"host-source","www.google-analytics.com":"host-source","www.google.com":"host-source","www.googleadservices.com":"host-source","www.googleapis.com":"host-source","www.googletagmanager.com":"host-source","www.paypal.com":"host-source","www.paypalobjects.com":"host-source","www.sandbox.paypal.com":"host-source","www.securesuite.co.uk":"host-source","www.vimeo.com":"host-source"}},"disposition":"report","source":"header","policies":["default-src 'self' 'unsafe-eval' 'unsafe-inline'; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.adobe.com *.braintreegateway.com *.cdn-apple.com *.commerce-payment-services.com *.google.com *.magento-ds.com *.newrelic.com *.nr-data.net *.paypal.com *.typekit.net *.vimeocdn.com *.youtube.com 1eafapi.cardinalcommerce.com 1eafstag.cardinalcommerce.com amcglobal.sc.omtrdc.net analytics.google.com api.braintreegateway.com api.sandbox.braintreegateway.com assets.adobedtm.com assets.braintreegateway.com c.paypal.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com geoapi.cardinalcommerce.com geostag.cardinalcommerce.com google.com googleads.g.doubleclick.net https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ includestest.ccdc02.com js.braintreegateway.com pay.google.com s.ytimg.com songbird.cardinalcommerce.com songbirdstag.cardinalcommerce.com t.paypal.com use.typekit.net vimeo.com www.google-analytics.com www.googleadservices.com www.googleapis.com www.googletagmanager.com www.paypal.com www.paypalobjects.com www.sandbox.paypal.com www.vimeo.com; style-src 'self' 'unsafe-inline' *.adobe.com assets.braintreegateway.com fonts.googleapis.com; object-src 'self' 'unsafe-inline'; base-uri 'self' 'unsafe-inline'; child-src 'self' 'unsafe-inline' *.paypal.com assets.braintreegateway.com blob: c.paypal.com http: https:; connect-src 'self' 'unsafe-inline' *.adobe.io *.analytics.google.com *.braintree-api.com *.braintreegateway.com *.cardinalcommerce.com *.google-analytics.com *.google.com *.newrelic.com *.nr-data.net *.paypal.com *.sentry.io 1eaf.cardinalcommerce.com 1eafstag.cardinalcommerce.com amcglobal.sc.omtrdc.net api.braintreegateway.com api.sandbox.braintreegateway.com centinelapi.cardinalcommerce.com centinelapistag.cardinalcommerce.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com dpm.demdex.net geo.cardinalcommerce.com geostag.cardinalcommerce.com google.com performance.typekit.net pilot-payflowlink.paypal.com vimeo.com www.googleadservices.com www.googletagmanager.com www.paypal.com www.paypalobjects.com www.sandbox.paypal.com; font-src 'self' 'unsafe-inline' *.gstatic.com *.typekit.net data: fonts.gstatic.com use.typekit.net www.paypalobjects.com; form-action 'self' 'unsafe-inline' * *.arcot.com *.cardinalcommerce.com *.monzo.com *.paypal.com *.touchtechpayments.com *.wirecard.com *.wlp-acs.com 1eaf.cardinalcommerce.com 1eafstag.cardinalcommerce.com 3ds-secure.cardcomplete.com acs.sia.eu centinelapi.cardinalcommerce.com centinelapistag.cardinalcommerce.com geo.cardinalcommerce.com geostag.cardinalcommerce.com pay.activa-card.com pilot-payflowlink.paypal.com rsa3dsauth.com www.clicksafe.lloydstsb.com www.paypal.com www.sandbox.paypal.com www.securesuite.co.uk; frame-ancestors 'self'; frame-src 'self' 'unsafe-inline' * *.adobe.com *.braintreegateway.com *.cardinalcommerce.com *.google.com *.paypal.com *.youtube-nocookie.com *.youtube.com 1eaf.cardinalcommerce.com 1eafstag.cardinalcommerce.com assets.braintreegateway.com bid.g.doubleclick.net c.paypal.com centinelapi.cardinalcommerce.com centinelapistag.cardinalcommerce.com checkout.paypal.com fast.amc.demdex.net geo.cardinalcommerce.com geostag.cardinalcommerce.com google.com https://www.google.com/recaptcha/ pay.google.com pilot-payflowlink.paypal.com player.vimeo.com www.paypal.com www.paypalobjects.com www.sandbox.paypal.com; img-src 'self' 'unsafe-inline' *.adobe.com *.analytics.google.com *.behance.net *.ftcdn.net *.google-analytics.com *.gstatic.com *.paypal.com *.typekit.net *.vimeocdn.com *.youtube.com amcglobal.sc.omtrdc.net assets.adobedtm.com assets.braintreegateway.com b.stats.paypal.com bid.g.doubleclick.net c.paypal.com checkout.paypal.com cm.everesttech.net data: dpm.demdex.net dub.stats.paypal.com fpdbs.paypal.com fpdbs.sandbox.paypal.com googleads.g.doubleclick.net i.ytimg.com p.typekit.net t.paypal.com validator.swagger.io widgets.magentocommerce.com www.google.com www.googleadservices.com www.googletagmanager.com www.paypal.com www.paypalobjects.com www.sandbox.paypal.com; manifest-src 'self' 'unsafe-inline'; media-src 'self' 'unsafe-inline' *.adobe.com;"],"stats":{"totalHigh":1,"totalMedium":47,"totalLow":27,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"includestest.ccdc02.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"googleads.g.doubleclick.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.braintreegateway.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.cdn-apple.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Non-encrypted loading of external assets (http: / ws:)","severity":"MEDIUM","directive":"child-src","source":"http:","message":"Allowing content over insecure channels can allow allow snooping and tampering of data","recommendation":"Ensure that all content is loaded over secure channels. Remove http: and ws:","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.vimeo.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.sandbox.paypal.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.paypalobjects.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.paypal.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"js.braintreegateway.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.commerce-payment-services.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.google.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.magento-ds.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.newrelic.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.nr-data.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.paypal.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.typekit.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.vimeocdn.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.youtube.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"1eafapi.cardinalcommerce.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"1eafstag.cardinalcommerce.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"amcglobal.sc.omtrdc.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"analytics.google.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"api.braintreegateway.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"api.sandbox.braintreegateway.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"assets.adobedtm.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"assets.braintreegateway.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"c.paypal.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"client-analytics.braintreegateway.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"client-analytics.sandbox.braintreegateway.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"geoapi.cardinalcommerce.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"geostag.cardinalcommerce.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"google.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"s.ytimg.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.googletagmanager.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.googleapis.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.adobe.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"songbird.cardinalcommerce.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"songbirdstag.cardinalcommerce.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"t.paypal.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"use.typekit.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"vimeo.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.google-analytics.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.googleadservices.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"pay.google.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.paypal.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.youtube.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"font-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.monzo.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"child-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"base-uri","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"object-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"img-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"manifest-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"media-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.paypal.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"form-action","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.arcot.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"frame-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.touchtechpayments.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.wirecard.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.wlp-acs.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.adobe.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.braintreegateway.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.cardinalcommerce.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.google.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.cardinalcommerce.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.youtube-nocookie.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"connect-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"694d1af90f790b66efabe34d","ts":"2025-12-25T11:07:37.611Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://emr.hhnsystem.com/login","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'self' https://code.jquery.com/jquery-3.7.1.min.js https://cdn.jsdelivr.net/npm/ https://cdnjs.cloudflare.com/ajax/libs/ https://emr.hhnsystem.com/js/ 'report-sample'; style-src 'self' https://fonts.googleapis.com/css https://cdn.jsdelivr.net/npm/ https://cdnjs.cloudflare.com/ajax/libs/ https://emr.hhnsystem.com/css/ 'report-sample'; font-src 'self' https://fonts.gstatic.com; img-src 'self' https://emr.hhnsystem.com; connect-src 'self' https://plausible.io/api/event; media-src 'self'; form-action 'self'; frame-src 'self' https://platform.twitter.com https://plausible.io https://utteranc.es https://github.com https://www.youtube.com https://vimeo.com; frame-ancestors 'self'; object-src 'none'; base-uri 'self'; report-uri https://csper.io/report/your-project-id;","directives":{"base-uri":["'self'"],"connect-src":["'self'","https://plausible.io/api/event"],"default-src":["'self'"],"font-src":["'self'","https://fonts.gstatic.com"],"form-action":["'self'"],"frame-ancestors":["'self'"],"frame-src":["'self'","https://github.com","https://platform.twitter.com","https://plausible.io","https://utteranc.es","https://vimeo.com","https://www.youtube.com"],"img-src":["'self'","https://emr.hhnsystem.com"],"media-src":["'self'"],"object-src":["'none'"],"report-uri":["https://csper.io/report/your-project-id"],"script-src":["'report-sample'","'self'","https://cdn.jsdelivr.net/npm/","https://cdnjs.cloudflare.com/ajax/libs/","https://code.jquery.com/jquery-3.7.1.min.js","https://emr.hhnsystem.com/js/"],"style-src":["'report-sample'","'self'","https://cdn.jsdelivr.net/npm/","https://cdnjs.cloudflare.com/ajax/libs/","https://emr.hhnsystem.com/css/","https://fonts.googleapis.com/css"]},"directiveOrder":["default-src","script-src","style-src","font-src","img-src","connect-src","media-src","form-action","frame-src","frame-ancestors","object-src","base-uri","report-uri"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'report-sample'":"keyword-source","'self'":"keyword-source","https://cdn.jsdelivr.net/npm/":"host-source","https://cdnjs.cloudflare.com/ajax/libs/":"host-source","https://code.jquery.com/jquery-3.7.1.min.js":"host-source","https://csper.io/report/your-project-id":"host-source","https://emr.hhnsystem.com":"host-source","https://emr.hhnsystem.com/css/":"host-source","https://emr.hhnsystem.com/js/":"host-source","https://fonts.googleapis.com/css":"host-source","https://fonts.gstatic.com":"host-source","https://github.com":"host-source","https://platform.twitter.com":"host-source","https://plausible.io":"host-source","https://plausible.io/api/event":"host-source","https://utteranc.es":"host-source","https://vimeo.com":"host-source","https://www.youtube.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'report-sample' 'self' https://cdn.jsdelivr.net/npm/ https://cdnjs.cloudflare.com/ajax/libs/ https://code.jquery.com/jquery-3.7.1.min.js https://emr.hhnsystem.com/js/; style-src 'report-sample' 'self' https://cdn.jsdelivr.net/npm/ https://cdnjs.cloudflare.com/ajax/libs/ https://emr.hhnsystem.com/css/ https://fonts.googleapis.com/css; object-src 'none'; base-uri 'self'; connect-src 'self' https://plausible.io/api/event; font-src 'self' https://fonts.gstatic.com; form-action 'self'; frame-ancestors 'self'; frame-src 'self' https://github.com https://platform.twitter.com https://plausible.io https://utteranc.es https://vimeo.com https://www.youtube.com; img-src 'self' https://emr.hhnsystem.com; media-src 'self'; report-uri https://csper.io/report/your-project-id;"],"stats":{"totalHigh":0,"totalMedium":0,"totalLow":0,"totalInfo":0},"recommendations":[]},{"id":"694d135bca32a360dfdb9972","ts":"2025-12-25T10:35:07.562Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://emr.hhnsystem.com/dashboard","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'self' https://code.jquery.com/jquery-3.7.1.min.js https://cdn.jsdelivr.net/npm/ https://cdnjs.cloudflare.com/ajax/libs/ https://emr.hhnsystem.com/js/ 'report-sample'; style-src 'self' https://fonts.googleapis.com/css https://cdn.jsdelivr.net/npm/ https://cdnjs.cloudflare.com/ajax/libs/ https://emr.hhnsystem.com/css/ 'report-sample'; font-src 'self' https://fonts.gstatic.com; img-src 'self' https://emr.hhnsystem.com; connect-src 'self' https://plausible.io/api/event; media-src 'self'; form-action 'self'; frame-src 'self' https://platform.twitter.com https://plausible.io https://utteranc.es https://github.com https://www.youtube.com https://vimeo.com; frame-ancestors 'self'; object-src 'none'; base-uri 'self'; report-uri https://csper.io/report/your-project-id;","directives":{"base-uri":["'self'"],"connect-src":["'self'","https://plausible.io/api/event"],"default-src":["'self'"],"font-src":["'self'","https://fonts.gstatic.com"],"form-action":["'self'"],"frame-ancestors":["'self'"],"frame-src":["'self'","https://github.com","https://platform.twitter.com","https://plausible.io","https://utteranc.es","https://vimeo.com","https://www.youtube.com"],"img-src":["'self'","https://emr.hhnsystem.com"],"media-src":["'self'"],"object-src":["'none'"],"report-uri":["https://csper.io/report/your-project-id"],"script-src":["'report-sample'","'self'","https://cdn.jsdelivr.net/npm/","https://cdnjs.cloudflare.com/ajax/libs/","https://code.jquery.com/jquery-3.7.1.min.js","https://emr.hhnsystem.com/js/"],"style-src":["'report-sample'","'self'","https://cdn.jsdelivr.net/npm/","https://cdnjs.cloudflare.com/ajax/libs/","https://emr.hhnsystem.com/css/","https://fonts.googleapis.com/css"]},"directiveOrder":["default-src","script-src","style-src","font-src","img-src","connect-src","media-src","form-action","frame-src","frame-ancestors","object-src","base-uri","report-uri"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'report-sample'":"keyword-source","'self'":"keyword-source","https://cdn.jsdelivr.net/npm/":"host-source","https://cdnjs.cloudflare.com/ajax/libs/":"host-source","https://code.jquery.com/jquery-3.7.1.min.js":"host-source","https://csper.io/report/your-project-id":"host-source","https://emr.hhnsystem.com":"host-source","https://emr.hhnsystem.com/css/":"host-source","https://emr.hhnsystem.com/js/":"host-source","https://fonts.googleapis.com/css":"host-source","https://fonts.gstatic.com":"host-source","https://github.com":"host-source","https://platform.twitter.com":"host-source","https://plausible.io":"host-source","https://plausible.io/api/event":"host-source","https://utteranc.es":"host-source","https://vimeo.com":"host-source","https://www.youtube.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'report-sample' 'self' https://cdn.jsdelivr.net/npm/ https://cdnjs.cloudflare.com/ajax/libs/ https://code.jquery.com/jquery-3.7.1.min.js https://emr.hhnsystem.com/js/; style-src 'report-sample' 'self' https://cdn.jsdelivr.net/npm/ https://cdnjs.cloudflare.com/ajax/libs/ https://emr.hhnsystem.com/css/ https://fonts.googleapis.com/css; object-src 'none'; base-uri 'self'; connect-src 'self' https://plausible.io/api/event; font-src 'self' https://fonts.gstatic.com; form-action 'self'; frame-ancestors 'self'; frame-src 'self' https://github.com https://platform.twitter.com https://plausible.io https://utteranc.es https://vimeo.com https://www.youtube.com; img-src 'self' https://emr.hhnsystem.com; media-src 'self'; report-uri https://csper.io/report/your-project-id;"],"stats":{"totalHigh":0,"totalMedium":0,"totalLow":0,"totalInfo":0},"recommendations":[]},{"id":"694cf7e40f790b66efabe34c","ts":"2025-12-25T08:37:56.947Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://just-do.it.com/checkout/","isHidden":false,"parsedPolicy":{"policy":"font-src www.paypalobjects.com fonts.gstatic.com use.typekit.net *.typekit.net *.gstatic.com data: 'self' 'unsafe-inline'; form-action geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com pilot-payflowlink.paypal.com www.paypal.com www.sandbox.paypal.com *.paypal.com *.cardinalcommerce.com 3ds-secure.cardcomplete.com www.clicksafe.lloydstsb.com pay.activa-card.com *.wirecard.com acs.sia.eu *.touchtechpayments.com www.securesuite.co.uk rsa3dsauth.com *.monzo.com *.arcot.com *.wlp-acs.com * 'self' 'unsafe-inline'; frame-ancestors 'self'; frame-src fast.amc.demdex.net *.adobe.com bid.g.doubleclick.net *.youtube.com *.youtube-nocookie.com geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com www.paypal.com www.sandbox.paypal.com pilot-payflowlink.paypal.com www.paypalobjects.com player.vimeo.com https://www.google.com/recaptcha/ *.braintreegateway.com *.paypal.com google.com *.google.com c.paypal.com checkout.paypal.com assets.braintreegateway.com pay.google.com *.cardinalcommerce.com * 'self' 'unsafe-inline'; img-src data: assets.adobedtm.com amcglobal.sc.omtrdc.net dpm.demdex.net cm.everesttech.net *.adobe.com widgets.magentocommerce.com www.googleadservices.com *.google-analytics.com googleads.g.doubleclick.net www.google.com bid.g.doubleclick.net *.analytics.google.com www.googletagmanager.com *.ftcdn.net *.behance.net t.paypal.com www.paypal.com www.paypalobjects.com fpdbs.paypal.com fpdbs.sandbox.paypal.com *.vimeocdn.com i.ytimg.com *.youtube.com p.typekit.net *.paypal.com *.typekit.net *.gstatic.com validator.swagger.io www.sandbox.paypal.com b.stats.paypal.com dub.stats.paypal.com assets.braintreegateway.com c.paypal.com checkout.paypal.com data: 'self' 'unsafe-inline'; script-src assets.adobedtm.com *.adobe.com www.googleadservices.com www.google-analytics.com googleads.g.doubleclick.net analytics.google.com www.googletagmanager.com *.newrelic.com *.nr-data.net geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com *.commerce-payment-services.com www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com www.googleapis.com vimeo.com www.vimeo.com *.vimeocdn.com *.youtube.com https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ amcglobal.sc.omtrdc.net *.magento-ds.com use.typekit.net *.typekit.net google.com *.google.com *.cdn-apple.com *.braintreegateway.com js.braintreegateway.com assets.braintreegateway.com c.paypal.com pay.google.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.paypal.com songbirdstag.cardinalcommerce.com 'self' 'unsafe-inline' 'unsafe-eval'; style-src *.adobe.com fonts.googleapis.com assets.braintreegateway.com 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; media-src *.adobe.com 'self' 'unsafe-inline'; manifest-src 'self' 'unsafe-inline'; connect-src dpm.demdex.net amcglobal.sc.omtrdc.net *.google-analytics.com www.googleadservices.com *.analytics.google.com www.googletagmanager.com *.newrelic.com *.nr-data.net vimeo.com geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com www.sandbox.paypal.com www.paypalobjects.com www.paypal.com pilot-payflowlink.paypal.com *.adobe.io performance.typekit.net *.sentry.io *.paypal.com google.com *.google.com *.braintreegateway.com *.braintree-api.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.cardinalcommerce.com 'self' 'unsafe-inline'; child-src assets.braintreegateway.com c.paypal.com *.paypal.com http: https: blob: 'self' 'unsafe-inline'; default-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self' 'unsafe-inline';","directives":{"base-uri":["'self'","'unsafe-inline'"],"child-src":["'self'","'unsafe-inline'","*.paypal.com","assets.braintreegateway.com","blob:","c.paypal.com","http:","https:"],"connect-src":["'self'","'unsafe-inline'","*.adobe.io","*.analytics.google.com","*.braintree-api.com","*.braintreegateway.com","*.cardinalcommerce.com","*.google-analytics.com","*.google.com","*.newrelic.com","*.nr-data.net","*.paypal.com","*.sentry.io","1eaf.cardinalcommerce.com","1eafstag.cardinalcommerce.com","amcglobal.sc.omtrdc.net","api.braintreegateway.com","api.sandbox.braintreegateway.com","centinelapi.cardinalcommerce.com","centinelapistag.cardinalcommerce.com","client-analytics.braintreegateway.com","client-analytics.sandbox.braintreegateway.com","dpm.demdex.net","geo.cardinalcommerce.com","geostag.cardinalcommerce.com","google.com","performance.typekit.net","pilot-payflowlink.paypal.com","vimeo.com","www.googleadservices.com","www.googletagmanager.com","www.paypal.com","www.paypalobjects.com","www.sandbox.paypal.com"],"default-src":["'self'","'unsafe-eval'","'unsafe-inline'"],"font-src":["'self'","'unsafe-inline'","*.gstatic.com","*.typekit.net","data:","fonts.gstatic.com","use.typekit.net","www.paypalobjects.com"],"form-action":["'self'","'unsafe-inline'","*","*.arcot.com","*.cardinalcommerce.com","*.monzo.com","*.paypal.com","*.touchtechpayments.com","*.wirecard.com","*.wlp-acs.com","1eaf.cardinalcommerce.com","1eafstag.cardinalcommerce.com","3ds-secure.cardcomplete.com","acs.sia.eu","centinelapi.cardinalcommerce.com","centinelapistag.cardinalcommerce.com","geo.cardinalcommerce.com","geostag.cardinalcommerce.com","pay.activa-card.com","pilot-payflowlink.paypal.com","rsa3dsauth.com","www.clicksafe.lloydstsb.com","www.paypal.com","www.sandbox.paypal.com","www.securesuite.co.uk"],"frame-ancestors":["'self'"],"frame-src":["'self'","'unsafe-inline'","*","*.adobe.com","*.braintreegateway.com","*.cardinalcommerce.com","*.google.com","*.paypal.com","*.youtube-nocookie.com","*.youtube.com","1eaf.cardinalcommerce.com","1eafstag.cardinalcommerce.com","assets.braintreegateway.com","bid.g.doubleclick.net","c.paypal.com","centinelapi.cardinalcommerce.com","centinelapistag.cardinalcommerce.com","checkout.paypal.com","fast.amc.demdex.net","geo.cardinalcommerce.com","geostag.cardinalcommerce.com","google.com","https://www.google.com/recaptcha/","pay.google.com","pilot-payflowlink.paypal.com","player.vimeo.com","www.paypal.com","www.paypalobjects.com","www.sandbox.paypal.com"],"img-src":["'self'","'unsafe-inline'","*.adobe.com","*.analytics.google.com","*.behance.net","*.ftcdn.net","*.google-analytics.com","*.gstatic.com","*.paypal.com","*.typekit.net","*.vimeocdn.com","*.youtube.com","amcglobal.sc.omtrdc.net","assets.adobedtm.com","assets.braintreegateway.com","b.stats.paypal.com","bid.g.doubleclick.net","c.paypal.com","checkout.paypal.com","cm.everesttech.net","data:","data:","dpm.demdex.net","dub.stats.paypal.com","fpdbs.paypal.com","fpdbs.sandbox.paypal.com","googleads.g.doubleclick.net","i.ytimg.com","p.typekit.net","t.paypal.com","validator.swagger.io","widgets.magentocommerce.com","www.google.com","www.googleadservices.com","www.googletagmanager.com","www.paypal.com","www.paypalobjects.com","www.sandbox.paypal.com"],"manifest-src":["'self'","'unsafe-inline'"],"media-src":["'self'","'unsafe-inline'","*.adobe.com"],"object-src":["'self'","'unsafe-inline'"],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'","*.adobe.com","*.braintreegateway.com","*.cdn-apple.com","*.commerce-payment-services.com","*.google.com","*.magento-ds.com","*.newrelic.com","*.nr-data.net","*.paypal.com","*.typekit.net","*.vimeocdn.com","*.youtube.com","1eafapi.cardinalcommerce.com","1eafstag.cardinalcommerce.com","amcglobal.sc.omtrdc.net","analytics.google.com","api.braintreegateway.com","api.sandbox.braintreegateway.com","assets.adobedtm.com","assets.braintreegateway.com","c.paypal.com","client-analytics.braintreegateway.com","client-analytics.sandbox.braintreegateway.com","geoapi.cardinalcommerce.com","geostag.cardinalcommerce.com","google.com","googleads.g.doubleclick.net","https://www.google.com/recaptcha/","https://www.gstatic.com/recaptcha/","includestest.ccdc02.com","js.braintreegateway.com","pay.google.com","s.ytimg.com","songbird.cardinalcommerce.com","songbirdstag.cardinalcommerce.com","t.paypal.com","use.typekit.net","vimeo.com","www.google-analytics.com","www.googleadservices.com","www.googleapis.com","www.googletagmanager.com","www.paypal.com","www.paypalobjects.com","www.sandbox.paypal.com","www.vimeo.com"],"style-src":["'self'","'unsafe-inline'","*.adobe.com","assets.braintreegateway.com","fonts.googleapis.com"]},"directiveOrder":["font-src","form-action","frame-ancestors","frame-src","img-src","script-src","style-src","object-src","media-src","manifest-src","connect-src","child-src","default-src","base-uri"],"disposition":"report","delivery":"header","sourceMapping":{"'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","*":"host-source","*.adobe.com":"host-source","*.adobe.io":"host-source","*.analytics.google.com":"host-source","*.arcot.com":"host-source","*.behance.net":"host-source","*.braintree-api.com":"host-source","*.braintreegateway.com":"host-source","*.cardinalcommerce.com":"host-source","*.cdn-apple.com":"host-source","*.commerce-payment-services.com":"host-source","*.ftcdn.net":"host-source","*.google-analytics.com":"host-source","*.google.com":"host-source","*.gstatic.com":"host-source","*.magento-ds.com":"host-source","*.monzo.com":"host-source","*.newrelic.com":"host-source","*.nr-data.net":"host-source","*.paypal.com":"host-source","*.sentry.io":"host-source","*.touchtechpayments.com":"host-source","*.typekit.net":"host-source","*.vimeocdn.com":"host-source","*.wirecard.com":"host-source","*.wlp-acs.com":"host-source","*.youtube-nocookie.com":"host-source","*.youtube.com":"host-source","1eaf.cardinalcommerce.com":"host-source","1eafapi.cardinalcommerce.com":"host-source","1eafstag.cardinalcommerce.com":"host-source","3ds-secure.cardcomplete.com":"host-source","acs.sia.eu":"host-source","amcglobal.sc.omtrdc.net":"host-source","analytics.google.com":"host-source","api.braintreegateway.com":"host-source","api.sandbox.braintreegateway.com":"host-source","assets.adobedtm.com":"host-source","assets.braintreegateway.com":"host-source","b.stats.paypal.com":"host-source","bid.g.doubleclick.net":"host-source","blob:":"scheme-source","c.paypal.com":"host-source","centinelapi.cardinalcommerce.com":"host-source","centinelapistag.cardinalcommerce.com":"host-source","checkout.paypal.com":"host-source","client-analytics.braintreegateway.com":"host-source","client-analytics.sandbox.braintreegateway.com":"host-source","cm.everesttech.net":"host-source","data:":"scheme-source","dpm.demdex.net":"host-source","dub.stats.paypal.com":"host-source","fast.amc.demdex.net":"host-source","fonts.googleapis.com":"host-source","fonts.gstatic.com":"host-source","fpdbs.paypal.com":"host-source","fpdbs.sandbox.paypal.com":"host-source","geo.cardinalcommerce.com":"host-source","geoapi.cardinalcommerce.com":"host-source","geostag.cardinalcommerce.com":"host-source","google.com":"host-source","googleads.g.doubleclick.net":"host-source","http:":"scheme-source","https:":"scheme-source","https://www.google.com/recaptcha/":"host-source","https://www.gstatic.com/recaptcha/":"host-source","i.ytimg.com":"host-source","includestest.ccdc02.com":"host-source","js.braintreegateway.com":"host-source","p.typekit.net":"host-source","pay.activa-card.com":"host-source","pay.google.com":"host-source","performance.typekit.net":"host-source","pilot-payflowlink.paypal.com":"host-source","player.vimeo.com":"host-source","rsa3dsauth.com":"host-source","s.ytimg.com":"host-source","songbird.cardinalcommerce.com":"host-source","songbirdstag.cardinalcommerce.com":"host-source","t.paypal.com":"host-source","use.typekit.net":"host-source","validator.swagger.io":"host-source","vimeo.com":"host-source","widgets.magentocommerce.com":"host-source","www.clicksafe.lloydstsb.com":"host-source","www.google-analytics.com":"host-source","www.google.com":"host-source","www.googleadservices.com":"host-source","www.googleapis.com":"host-source","www.googletagmanager.com":"host-source","www.paypal.com":"host-source","www.paypalobjects.com":"host-source","www.sandbox.paypal.com":"host-source","www.securesuite.co.uk":"host-source","www.vimeo.com":"host-source"}},"disposition":"report","source":"header","policies":["default-src 'self' 'unsafe-eval' 'unsafe-inline'; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.adobe.com *.braintreegateway.com *.cdn-apple.com *.commerce-payment-services.com *.google.com *.magento-ds.com *.newrelic.com *.nr-data.net *.paypal.com *.typekit.net *.vimeocdn.com *.youtube.com 1eafapi.cardinalcommerce.com 1eafstag.cardinalcommerce.com amcglobal.sc.omtrdc.net analytics.google.com api.braintreegateway.com api.sandbox.braintreegateway.com assets.adobedtm.com assets.braintreegateway.com c.paypal.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com geoapi.cardinalcommerce.com geostag.cardinalcommerce.com google.com googleads.g.doubleclick.net https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ includestest.ccdc02.com js.braintreegateway.com pay.google.com s.ytimg.com songbird.cardinalcommerce.com songbirdstag.cardinalcommerce.com t.paypal.com use.typekit.net vimeo.com www.google-analytics.com www.googleadservices.com www.googleapis.com www.googletagmanager.com www.paypal.com www.paypalobjects.com www.sandbox.paypal.com www.vimeo.com; style-src 'self' 'unsafe-inline' *.adobe.com assets.braintreegateway.com fonts.googleapis.com; object-src 'self' 'unsafe-inline'; base-uri 'self' 'unsafe-inline'; child-src 'self' 'unsafe-inline' *.paypal.com assets.braintreegateway.com blob: c.paypal.com http: https:; connect-src 'self' 'unsafe-inline' *.adobe.io *.analytics.google.com *.braintree-api.com *.braintreegateway.com *.cardinalcommerce.com *.google-analytics.com *.google.com *.newrelic.com *.nr-data.net *.paypal.com *.sentry.io 1eaf.cardinalcommerce.com 1eafstag.cardinalcommerce.com amcglobal.sc.omtrdc.net api.braintreegateway.com api.sandbox.braintreegateway.com centinelapi.cardinalcommerce.com centinelapistag.cardinalcommerce.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com dpm.demdex.net geo.cardinalcommerce.com geostag.cardinalcommerce.com google.com performance.typekit.net pilot-payflowlink.paypal.com vimeo.com www.googleadservices.com www.googletagmanager.com www.paypal.com www.paypalobjects.com www.sandbox.paypal.com; font-src 'self' 'unsafe-inline' *.gstatic.com *.typekit.net data: fonts.gstatic.com use.typekit.net www.paypalobjects.com; form-action 'self' 'unsafe-inline' * *.arcot.com *.cardinalcommerce.com *.monzo.com *.paypal.com *.touchtechpayments.com *.wirecard.com *.wlp-acs.com 1eaf.cardinalcommerce.com 1eafstag.cardinalcommerce.com 3ds-secure.cardcomplete.com acs.sia.eu centinelapi.cardinalcommerce.com centinelapistag.cardinalcommerce.com geo.cardinalcommerce.com geostag.cardinalcommerce.com pay.activa-card.com pilot-payflowlink.paypal.com rsa3dsauth.com www.clicksafe.lloydstsb.com www.paypal.com www.sandbox.paypal.com www.securesuite.co.uk; frame-ancestors 'self'; frame-src 'self' 'unsafe-inline' * *.adobe.com *.braintreegateway.com *.cardinalcommerce.com *.google.com *.paypal.com *.youtube-nocookie.com *.youtube.com 1eaf.cardinalcommerce.com 1eafstag.cardinalcommerce.com assets.braintreegateway.com bid.g.doubleclick.net c.paypal.com centinelapi.cardinalcommerce.com centinelapistag.cardinalcommerce.com checkout.paypal.com fast.amc.demdex.net geo.cardinalcommerce.com geostag.cardinalcommerce.com google.com https://www.google.com/recaptcha/ pay.google.com pilot-payflowlink.paypal.com player.vimeo.com www.paypal.com www.paypalobjects.com www.sandbox.paypal.com; img-src 'self' 'unsafe-inline' *.adobe.com *.analytics.google.com *.behance.net *.ftcdn.net *.google-analytics.com *.gstatic.com *.paypal.com *.typekit.net *.vimeocdn.com *.youtube.com amcglobal.sc.omtrdc.net assets.adobedtm.com assets.braintreegateway.com b.stats.paypal.com bid.g.doubleclick.net c.paypal.com checkout.paypal.com cm.everesttech.net data: dpm.demdex.net dub.stats.paypal.com fpdbs.paypal.com fpdbs.sandbox.paypal.com googleads.g.doubleclick.net i.ytimg.com p.typekit.net t.paypal.com validator.swagger.io widgets.magentocommerce.com www.google.com www.googleadservices.com www.googletagmanager.com www.paypal.com www.paypalobjects.com www.sandbox.paypal.com; manifest-src 'self' 'unsafe-inline'; media-src 'self' 'unsafe-inline' *.adobe.com;"],"stats":{"totalHigh":1,"totalMedium":47,"totalLow":27,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"includestest.ccdc02.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"googleads.g.doubleclick.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.braintreegateway.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.cdn-apple.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Non-encrypted loading of external assets (http: / ws:)","severity":"MEDIUM","directive":"child-src","source":"http:","message":"Allowing content over insecure channels can allow allow snooping and tampering of data","recommendation":"Ensure that all content is loaded over secure channels. Remove http: and ws:","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.vimeo.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.sandbox.paypal.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.paypalobjects.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.paypal.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"js.braintreegateway.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.commerce-payment-services.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.google.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.magento-ds.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.newrelic.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.nr-data.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.paypal.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.typekit.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.vimeocdn.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.youtube.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"1eafapi.cardinalcommerce.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"1eafstag.cardinalcommerce.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"amcglobal.sc.omtrdc.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"analytics.google.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"api.braintreegateway.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"api.sandbox.braintreegateway.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"assets.adobedtm.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"assets.braintreegateway.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"c.paypal.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"client-analytics.braintreegateway.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"client-analytics.sandbox.braintreegateway.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"geoapi.cardinalcommerce.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"geostag.cardinalcommerce.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"google.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"s.ytimg.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.googletagmanager.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.googleapis.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.adobe.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"songbird.cardinalcommerce.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"songbirdstag.cardinalcommerce.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"t.paypal.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"use.typekit.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"vimeo.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.google-analytics.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.googleadservices.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"pay.google.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.paypal.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.youtube.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"font-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.monzo.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"child-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"base-uri","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"object-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"img-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"manifest-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"media-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.paypal.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"form-action","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.arcot.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"frame-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.touchtechpayments.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.wirecard.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.wlp-acs.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.adobe.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.braintreegateway.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.cardinalcommerce.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.google.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.cardinalcommerce.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.youtube-nocookie.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"connect-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"694cf5da0f790b66efabe33a","ts":"2025-12-25T08:29:14.354Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://emr.hhnsystem.com/dashboard","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'self' https://code.jquery.com/jquery-3.7.1.min.js https://cdn.jsdelivr.net/npm/ https://cdnjs.cloudflare.com/ajax/libs/ https://emr.hhnsystem.com/js/ 'report-sample'; style-src 'self' https://fonts.googleapis.com/css https://cdn.jsdelivr.net/npm/ https://cdnjs.cloudflare.com/ajax/libs/ https://emr.hhnsystem.com/css/ 'report-sample'; font-src 'self' https://fonts.gstatic.com; img-src 'self' https://emr.hhnsystem.com; connect-src 'self' https://plausible.io/api/event; media-src 'self'; form-action 'self'; frame-src 'self' https://platform.twitter.com https://plausible.io https://utteranc.es https://github.com https://www.youtube.com https://vimeo.com; frame-ancestors 'self'; object-src 'none'; base-uri 'self'; report-uri https://csper.io/report/your-project-id;","directives":{"base-uri":["'self'"],"connect-src":["'self'","https://plausible.io/api/event"],"default-src":["'self'"],"font-src":["'self'","https://fonts.gstatic.com"],"form-action":["'self'"],"frame-ancestors":["'self'"],"frame-src":["'self'","https://github.com","https://platform.twitter.com","https://plausible.io","https://utteranc.es","https://vimeo.com","https://www.youtube.com"],"img-src":["'self'","https://emr.hhnsystem.com"],"media-src":["'self'"],"object-src":["'none'"],"report-uri":["https://csper.io/report/your-project-id"],"script-src":["'report-sample'","'self'","https://cdn.jsdelivr.net/npm/","https://cdnjs.cloudflare.com/ajax/libs/","https://code.jquery.com/jquery-3.7.1.min.js","https://emr.hhnsystem.com/js/"],"style-src":["'report-sample'","'self'","https://cdn.jsdelivr.net/npm/","https://cdnjs.cloudflare.com/ajax/libs/","https://emr.hhnsystem.com/css/","https://fonts.googleapis.com/css"]},"directiveOrder":["default-src","script-src","style-src","font-src","img-src","connect-src","media-src","form-action","frame-src","frame-ancestors","object-src","base-uri","report-uri"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'report-sample'":"keyword-source","'self'":"keyword-source","https://cdn.jsdelivr.net/npm/":"host-source","https://cdnjs.cloudflare.com/ajax/libs/":"host-source","https://code.jquery.com/jquery-3.7.1.min.js":"host-source","https://csper.io/report/your-project-id":"host-source","https://emr.hhnsystem.com":"host-source","https://emr.hhnsystem.com/css/":"host-source","https://emr.hhnsystem.com/js/":"host-source","https://fonts.googleapis.com/css":"host-source","https://fonts.gstatic.com":"host-source","https://github.com":"host-source","https://platform.twitter.com":"host-source","https://plausible.io":"host-source","https://plausible.io/api/event":"host-source","https://utteranc.es":"host-source","https://vimeo.com":"host-source","https://www.youtube.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'report-sample' 'self' https://cdn.jsdelivr.net/npm/ https://cdnjs.cloudflare.com/ajax/libs/ https://code.jquery.com/jquery-3.7.1.min.js https://emr.hhnsystem.com/js/; style-src 'report-sample' 'self' https://cdn.jsdelivr.net/npm/ https://cdnjs.cloudflare.com/ajax/libs/ https://emr.hhnsystem.com/css/ https://fonts.googleapis.com/css; object-src 'none'; base-uri 'self'; connect-src 'self' https://plausible.io/api/event; font-src 'self' https://fonts.gstatic.com; form-action 'self'; frame-ancestors 'self'; frame-src 'self' https://github.com https://platform.twitter.com https://plausible.io https://utteranc.es https://vimeo.com https://www.youtube.com; img-src 'self' https://emr.hhnsystem.com; media-src 'self'; report-uri https://csper.io/report/your-project-id;"],"stats":{"totalHigh":0,"totalMedium":0,"totalLow":0,"totalInfo":0},"recommendations":[]},{"id":"694ceeacca32a360dfdb995f","ts":"2025-12-25T07:58:36.123Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://emr.hhnsystem.com/dashboard","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'self' https://code.jquery.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://emr.hhnsystem.com; style-src 'self' https://fonts.googleapis.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://emr.hhnsystem.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' https://emr.hhnsystem.com; connect-src 'self' https://plausible.io; media-src 'self'; form-action 'self'; frame-src 'self' https://platform.twitter.com https://plausible.io https://utteranc.es https://github.com https://www.youtube.com https://vimeo.com; frame-ancestors 'self'; object-src 'none'; base-uri 'self'","directives":{"base-uri":["'self'"],"connect-src":["'self'","https://plausible.io"],"default-src":["'self'"],"font-src":["'self'","https://fonts.gstatic.com"],"form-action":["'self'"],"frame-ancestors":["'self'"],"frame-src":["'self'","https://github.com","https://platform.twitter.com","https://plausible.io","https://utteranc.es","https://vimeo.com","https://www.youtube.com"],"img-src":["'self'","https://emr.hhnsystem.com"],"media-src":["'self'"],"object-src":["'none'"],"script-src":["'self'","https://cdn.jsdelivr.net","https://cdnjs.cloudflare.com","https://code.jquery.com","https://emr.hhnsystem.com"],"style-src":["'self'","https://cdn.jsdelivr.net","https://cdnjs.cloudflare.com","https://emr.hhnsystem.com","https://fonts.googleapis.com"]},"directiveOrder":["default-src","script-src","style-src","font-src","img-src","connect-src","media-src","form-action","frame-src","frame-ancestors","object-src","base-uri"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","https://cdn.jsdelivr.net":"host-source","https://cdnjs.cloudflare.com":"host-source","https://code.jquery.com":"host-source","https://emr.hhnsystem.com":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://github.com":"host-source","https://platform.twitter.com":"host-source","https://plausible.io":"host-source","https://utteranc.es":"host-source","https://vimeo.com":"host-source","https://www.youtube.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://code.jquery.com https://emr.hhnsystem.com; style-src 'self' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://emr.hhnsystem.com https://fonts.googleapis.com; object-src 'none'; base-uri 'self'; connect-src 'self' https://plausible.io; font-src 'self' https://fonts.gstatic.com; form-action 'self'; frame-ancestors 'self'; frame-src 'self' https://github.com https://platform.twitter.com https://plausible.io https://utteranc.es https://vimeo.com https://www.youtube.com; img-src 'self' https://emr.hhnsystem.com; media-src 'self';"],"stats":{"totalHigh":0,"totalMedium":5,"totalLow":2,"totalInfo":0},"recommendations":[{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdn.jsdelivr.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdnjs.cloudflare.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://code.jquery.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://emr.hhnsystem.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"694c2e370f790b66efabe319","ts":"2025-12-24T18:17:27.008Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://just-do.it.com/checkout/","isHidden":false,"parsedPolicy":{"policy":"font-src www.paypalobjects.com fonts.gstatic.com use.typekit.net *.typekit.net *.gstatic.com data: 'self' 'unsafe-inline'; form-action geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com pilot-payflowlink.paypal.com www.paypal.com www.sandbox.paypal.com *.paypal.com *.cardinalcommerce.com 3ds-secure.cardcomplete.com www.clicksafe.lloydstsb.com pay.activa-card.com *.wirecard.com acs.sia.eu *.touchtechpayments.com www.securesuite.co.uk rsa3dsauth.com *.monzo.com *.arcot.com *.wlp-acs.com * 'self' 'unsafe-inline'; frame-ancestors 'self'; frame-src fast.amc.demdex.net *.adobe.com bid.g.doubleclick.net *.youtube.com *.youtube-nocookie.com geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com www.paypal.com www.sandbox.paypal.com pilot-payflowlink.paypal.com www.paypalobjects.com player.vimeo.com https://www.google.com/recaptcha/ *.braintreegateway.com *.paypal.com google.com *.google.com c.paypal.com checkout.paypal.com assets.braintreegateway.com pay.google.com *.cardinalcommerce.com * 'self' 'unsafe-inline'; img-src data: assets.adobedtm.com amcglobal.sc.omtrdc.net dpm.demdex.net cm.everesttech.net *.adobe.com widgets.magentocommerce.com www.googleadservices.com *.google-analytics.com googleads.g.doubleclick.net www.google.com bid.g.doubleclick.net *.analytics.google.com www.googletagmanager.com *.ftcdn.net *.behance.net t.paypal.com www.paypal.com www.paypalobjects.com fpdbs.paypal.com fpdbs.sandbox.paypal.com *.vimeocdn.com i.ytimg.com *.youtube.com p.typekit.net *.paypal.com *.typekit.net *.gstatic.com validator.swagger.io www.sandbox.paypal.com b.stats.paypal.com dub.stats.paypal.com assets.braintreegateway.com c.paypal.com checkout.paypal.com data: 'self' 'unsafe-inline'; script-src assets.adobedtm.com *.adobe.com www.googleadservices.com www.google-analytics.com googleads.g.doubleclick.net analytics.google.com www.googletagmanager.com *.newrelic.com *.nr-data.net geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com *.commerce-payment-services.com www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com www.googleapis.com vimeo.com www.vimeo.com *.vimeocdn.com *.youtube.com https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ amcglobal.sc.omtrdc.net *.magento-ds.com use.typekit.net *.typekit.net google.com *.google.com *.cdn-apple.com *.braintreegateway.com js.braintreegateway.com assets.braintreegateway.com c.paypal.com pay.google.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.paypal.com songbirdstag.cardinalcommerce.com 'self' 'unsafe-inline' 'unsafe-eval'; style-src *.adobe.com fonts.googleapis.com assets.braintreegateway.com 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; media-src *.adobe.com 'self' 'unsafe-inline'; manifest-src 'self' 'unsafe-inline'; connect-src dpm.demdex.net amcglobal.sc.omtrdc.net *.google-analytics.com www.googleadservices.com *.analytics.google.com www.googletagmanager.com *.newrelic.com *.nr-data.net vimeo.com geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com www.sandbox.paypal.com www.paypalobjects.com www.paypal.com pilot-payflowlink.paypal.com *.adobe.io performance.typekit.net *.sentry.io *.paypal.com google.com *.google.com *.braintreegateway.com *.braintree-api.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.cardinalcommerce.com 'self' 'unsafe-inline'; child-src assets.braintreegateway.com c.paypal.com *.paypal.com http: https: blob: 'self' 'unsafe-inline'; default-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self' 'unsafe-inline';","directives":{"base-uri":["'self'","'unsafe-inline'"],"child-src":["'self'","'unsafe-inline'","*.paypal.com","assets.braintreegateway.com","blob:","c.paypal.com","http:","https:"],"connect-src":["'self'","'unsafe-inline'","*.adobe.io","*.analytics.google.com","*.braintree-api.com","*.braintreegateway.com","*.cardinalcommerce.com","*.google-analytics.com","*.google.com","*.newrelic.com","*.nr-data.net","*.paypal.com","*.sentry.io","1eaf.cardinalcommerce.com","1eafstag.cardinalcommerce.com","amcglobal.sc.omtrdc.net","api.braintreegateway.com","api.sandbox.braintreegateway.com","centinelapi.cardinalcommerce.com","centinelapistag.cardinalcommerce.com","client-analytics.braintreegateway.com","client-analytics.sandbox.braintreegateway.com","dpm.demdex.net","geo.cardinalcommerce.com","geostag.cardinalcommerce.com","google.com","performance.typekit.net","pilot-payflowlink.paypal.com","vimeo.com","www.googleadservices.com","www.googletagmanager.com","www.paypal.com","www.paypalobjects.com","www.sandbox.paypal.com"],"default-src":["'self'","'unsafe-eval'","'unsafe-inline'"],"font-src":["'self'","'unsafe-inline'","*.gstatic.com","*.typekit.net","data:","fonts.gstatic.com","use.typekit.net","www.paypalobjects.com"],"form-action":["'self'","'unsafe-inline'","*","*.arcot.com","*.cardinalcommerce.com","*.monzo.com","*.paypal.com","*.touchtechpayments.com","*.wirecard.com","*.wlp-acs.com","1eaf.cardinalcommerce.com","1eafstag.cardinalcommerce.com","3ds-secure.cardcomplete.com","acs.sia.eu","centinelapi.cardinalcommerce.com","centinelapistag.cardinalcommerce.com","geo.cardinalcommerce.com","geostag.cardinalcommerce.com","pay.activa-card.com","pilot-payflowlink.paypal.com","rsa3dsauth.com","www.clicksafe.lloydstsb.com","www.paypal.com","www.sandbox.paypal.com","www.securesuite.co.uk"],"frame-ancestors":["'self'"],"frame-src":["'self'","'unsafe-inline'","*","*.adobe.com","*.braintreegateway.com","*.cardinalcommerce.com","*.google.com","*.paypal.com","*.youtube-nocookie.com","*.youtube.com","1eaf.cardinalcommerce.com","1eafstag.cardinalcommerce.com","assets.braintreegateway.com","bid.g.doubleclick.net","c.paypal.com","centinelapi.cardinalcommerce.com","centinelapistag.cardinalcommerce.com","checkout.paypal.com","fast.amc.demdex.net","geo.cardinalcommerce.com","geostag.cardinalcommerce.com","google.com","https://www.google.com/recaptcha/","pay.google.com","pilot-payflowlink.paypal.com","player.vimeo.com","www.paypal.com","www.paypalobjects.com","www.sandbox.paypal.com"],"img-src":["'self'","'unsafe-inline'","*.adobe.com","*.analytics.google.com","*.behance.net","*.ftcdn.net","*.google-analytics.com","*.gstatic.com","*.paypal.com","*.typekit.net","*.vimeocdn.com","*.youtube.com","amcglobal.sc.omtrdc.net","assets.adobedtm.com","assets.braintreegateway.com","b.stats.paypal.com","bid.g.doubleclick.net","c.paypal.com","checkout.paypal.com","cm.everesttech.net","data:","data:","dpm.demdex.net","dub.stats.paypal.com","fpdbs.paypal.com","fpdbs.sandbox.paypal.com","googleads.g.doubleclick.net","i.ytimg.com","p.typekit.net","t.paypal.com","validator.swagger.io","widgets.magentocommerce.com","www.google.com","www.googleadservices.com","www.googletagmanager.com","www.paypal.com","www.paypalobjects.com","www.sandbox.paypal.com"],"manifest-src":["'self'","'unsafe-inline'"],"media-src":["'self'","'unsafe-inline'","*.adobe.com"],"object-src":["'self'","'unsafe-inline'"],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'","*.adobe.com","*.braintreegateway.com","*.cdn-apple.com","*.commerce-payment-services.com","*.google.com","*.magento-ds.com","*.newrelic.com","*.nr-data.net","*.paypal.com","*.typekit.net","*.vimeocdn.com","*.youtube.com","1eafapi.cardinalcommerce.com","1eafstag.cardinalcommerce.com","amcglobal.sc.omtrdc.net","analytics.google.com","api.braintreegateway.com","api.sandbox.braintreegateway.com","assets.adobedtm.com","assets.braintreegateway.com","c.paypal.com","client-analytics.braintreegateway.com","client-analytics.sandbox.braintreegateway.com","geoapi.cardinalcommerce.com","geostag.cardinalcommerce.com","google.com","googleads.g.doubleclick.net","https://www.google.com/recaptcha/","https://www.gstatic.com/recaptcha/","includestest.ccdc02.com","js.braintreegateway.com","pay.google.com","s.ytimg.com","songbird.cardinalcommerce.com","songbirdstag.cardinalcommerce.com","t.paypal.com","use.typekit.net","vimeo.com","www.google-analytics.com","www.googleadservices.com","www.googleapis.com","www.googletagmanager.com","www.paypal.com","www.paypalobjects.com","www.sandbox.paypal.com","www.vimeo.com"],"style-src":["'self'","'unsafe-inline'","*.adobe.com","assets.braintreegateway.com","fonts.googleapis.com"]},"directiveOrder":["font-src","form-action","frame-ancestors","frame-src","img-src","script-src","style-src","object-src","media-src","manifest-src","connect-src","child-src","default-src","base-uri"],"disposition":"report","delivery":"header","sourceMapping":{"'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","*":"host-source","*.adobe.com":"host-source","*.adobe.io":"host-source","*.analytics.google.com":"host-source","*.arcot.com":"host-source","*.behance.net":"host-source","*.braintree-api.com":"host-source","*.braintreegateway.com":"host-source","*.cardinalcommerce.com":"host-source","*.cdn-apple.com":"host-source","*.commerce-payment-services.com":"host-source","*.ftcdn.net":"host-source","*.google-analytics.com":"host-source","*.google.com":"host-source","*.gstatic.com":"host-source","*.magento-ds.com":"host-source","*.monzo.com":"host-source","*.newrelic.com":"host-source","*.nr-data.net":"host-source","*.paypal.com":"host-source","*.sentry.io":"host-source","*.touchtechpayments.com":"host-source","*.typekit.net":"host-source","*.vimeocdn.com":"host-source","*.wirecard.com":"host-source","*.wlp-acs.com":"host-source","*.youtube-nocookie.com":"host-source","*.youtube.com":"host-source","1eaf.cardinalcommerce.com":"host-source","1eafapi.cardinalcommerce.com":"host-source","1eafstag.cardinalcommerce.com":"host-source","3ds-secure.cardcomplete.com":"host-source","acs.sia.eu":"host-source","amcglobal.sc.omtrdc.net":"host-source","analytics.google.com":"host-source","api.braintreegateway.com":"host-source","api.sandbox.braintreegateway.com":"host-source","assets.adobedtm.com":"host-source","assets.braintreegateway.com":"host-source","b.stats.paypal.com":"host-source","bid.g.doubleclick.net":"host-source","blob:":"scheme-source","c.paypal.com":"host-source","centinelapi.cardinalcommerce.com":"host-source","centinelapistag.cardinalcommerce.com":"host-source","checkout.paypal.com":"host-source","client-analytics.braintreegateway.com":"host-source","client-analytics.sandbox.braintreegateway.com":"host-source","cm.everesttech.net":"host-source","data:":"scheme-source","dpm.demdex.net":"host-source","dub.stats.paypal.com":"host-source","fast.amc.demdex.net":"host-source","fonts.googleapis.com":"host-source","fonts.gstatic.com":"host-source","fpdbs.paypal.com":"host-source","fpdbs.sandbox.paypal.com":"host-source","geo.cardinalcommerce.com":"host-source","geoapi.cardinalcommerce.com":"host-source","geostag.cardinalcommerce.com":"host-source","google.com":"host-source","googleads.g.doubleclick.net":"host-source","http:":"scheme-source","https:":"scheme-source","https://www.google.com/recaptcha/":"host-source","https://www.gstatic.com/recaptcha/":"host-source","i.ytimg.com":"host-source","includestest.ccdc02.com":"host-source","js.braintreegateway.com":"host-source","p.typekit.net":"host-source","pay.activa-card.com":"host-source","pay.google.com":"host-source","performance.typekit.net":"host-source","pilot-payflowlink.paypal.com":"host-source","player.vimeo.com":"host-source","rsa3dsauth.com":"host-source","s.ytimg.com":"host-source","songbird.cardinalcommerce.com":"host-source","songbirdstag.cardinalcommerce.com":"host-source","t.paypal.com":"host-source","use.typekit.net":"host-source","validator.swagger.io":"host-source","vimeo.com":"host-source","widgets.magentocommerce.com":"host-source","www.clicksafe.lloydstsb.com":"host-source","www.google-analytics.com":"host-source","www.google.com":"host-source","www.googleadservices.com":"host-source","www.googleapis.com":"host-source","www.googletagmanager.com":"host-source","www.paypal.com":"host-source","www.paypalobjects.com":"host-source","www.sandbox.paypal.com":"host-source","www.securesuite.co.uk":"host-source","www.vimeo.com":"host-source"}},"disposition":"report","source":"header","policies":["default-src 'self' 'unsafe-eval' 'unsafe-inline'; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.adobe.com *.braintreegateway.com *.cdn-apple.com *.commerce-payment-services.com *.google.com *.magento-ds.com *.newrelic.com *.nr-data.net *.paypal.com *.typekit.net *.vimeocdn.com *.youtube.com 1eafapi.cardinalcommerce.com 1eafstag.cardinalcommerce.com amcglobal.sc.omtrdc.net analytics.google.com api.braintreegateway.com api.sandbox.braintreegateway.com assets.adobedtm.com assets.braintreegateway.com c.paypal.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com geoapi.cardinalcommerce.com geostag.cardinalcommerce.com google.com googleads.g.doubleclick.net https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ includestest.ccdc02.com js.braintreegateway.com pay.google.com s.ytimg.com songbird.cardinalcommerce.com songbirdstag.cardinalcommerce.com t.paypal.com use.typekit.net vimeo.com www.google-analytics.com www.googleadservices.com www.googleapis.com www.googletagmanager.com www.paypal.com www.paypalobjects.com www.sandbox.paypal.com www.vimeo.com; style-src 'self' 'unsafe-inline' *.adobe.com assets.braintreegateway.com fonts.googleapis.com; object-src 'self' 'unsafe-inline'; base-uri 'self' 'unsafe-inline'; child-src 'self' 'unsafe-inline' *.paypal.com assets.braintreegateway.com blob: c.paypal.com http: https:; connect-src 'self' 'unsafe-inline' *.adobe.io *.analytics.google.com *.braintree-api.com *.braintreegateway.com *.cardinalcommerce.com *.google-analytics.com *.google.com *.newrelic.com *.nr-data.net *.paypal.com *.sentry.io 1eaf.cardinalcommerce.com 1eafstag.cardinalcommerce.com amcglobal.sc.omtrdc.net api.braintreegateway.com api.sandbox.braintreegateway.com centinelapi.cardinalcommerce.com centinelapistag.cardinalcommerce.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com dpm.demdex.net geo.cardinalcommerce.com geostag.cardinalcommerce.com google.com performance.typekit.net pilot-payflowlink.paypal.com vimeo.com www.googleadservices.com www.googletagmanager.com www.paypal.com www.paypalobjects.com www.sandbox.paypal.com; font-src 'self' 'unsafe-inline' *.gstatic.com *.typekit.net data: fonts.gstatic.com use.typekit.net www.paypalobjects.com; form-action 'self' 'unsafe-inline' * *.arcot.com *.cardinalcommerce.com *.monzo.com *.paypal.com *.touchtechpayments.com *.wirecard.com *.wlp-acs.com 1eaf.cardinalcommerce.com 1eafstag.cardinalcommerce.com 3ds-secure.cardcomplete.com acs.sia.eu centinelapi.cardinalcommerce.com centinelapistag.cardinalcommerce.com geo.cardinalcommerce.com geostag.cardinalcommerce.com pay.activa-card.com pilot-payflowlink.paypal.com rsa3dsauth.com www.clicksafe.lloydstsb.com www.paypal.com www.sandbox.paypal.com www.securesuite.co.uk; frame-ancestors 'self'; frame-src 'self' 'unsafe-inline' * *.adobe.com *.braintreegateway.com *.cardinalcommerce.com *.google.com *.paypal.com *.youtube-nocookie.com *.youtube.com 1eaf.cardinalcommerce.com 1eafstag.cardinalcommerce.com assets.braintreegateway.com bid.g.doubleclick.net c.paypal.com centinelapi.cardinalcommerce.com centinelapistag.cardinalcommerce.com checkout.paypal.com fast.amc.demdex.net geo.cardinalcommerce.com geostag.cardinalcommerce.com google.com https://www.google.com/recaptcha/ pay.google.com pilot-payflowlink.paypal.com player.vimeo.com www.paypal.com www.paypalobjects.com www.sandbox.paypal.com; img-src 'self' 'unsafe-inline' *.adobe.com *.analytics.google.com *.behance.net *.ftcdn.net *.google-analytics.com *.gstatic.com *.paypal.com *.typekit.net *.vimeocdn.com *.youtube.com amcglobal.sc.omtrdc.net assets.adobedtm.com assets.braintreegateway.com b.stats.paypal.com bid.g.doubleclick.net c.paypal.com checkout.paypal.com cm.everesttech.net data: dpm.demdex.net dub.stats.paypal.com fpdbs.paypal.com fpdbs.sandbox.paypal.com googleads.g.doubleclick.net i.ytimg.com p.typekit.net t.paypal.com validator.swagger.io widgets.magentocommerce.com www.google.com www.googleadservices.com www.googletagmanager.com www.paypal.com www.paypalobjects.com www.sandbox.paypal.com; manifest-src 'self' 'unsafe-inline'; media-src 'self' 'unsafe-inline' *.adobe.com;"],"stats":{"totalHigh":1,"totalMedium":47,"totalLow":27,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"includestest.ccdc02.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"googleads.g.doubleclick.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.braintreegateway.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.cdn-apple.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Non-encrypted loading of external assets (http: / ws:)","severity":"MEDIUM","directive":"child-src","source":"http:","message":"Allowing content over insecure channels can allow allow snooping and tampering of data","recommendation":"Ensure that all content is loaded over secure channels. Remove http: and ws:","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.vimeo.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.sandbox.paypal.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.paypalobjects.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.paypal.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"js.braintreegateway.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.commerce-payment-services.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.google.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.magento-ds.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.newrelic.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.nr-data.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.paypal.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.typekit.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.vimeocdn.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.youtube.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"1eafapi.cardinalcommerce.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"1eafstag.cardinalcommerce.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"amcglobal.sc.omtrdc.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"analytics.google.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"api.braintreegateway.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"api.sandbox.braintreegateway.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"assets.adobedtm.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"assets.braintreegateway.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"c.paypal.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"client-analytics.braintreegateway.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"client-analytics.sandbox.braintreegateway.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"geoapi.cardinalcommerce.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"geostag.cardinalcommerce.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"google.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"s.ytimg.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.googletagmanager.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.googleapis.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.adobe.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"songbird.cardinalcommerce.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"songbirdstag.cardinalcommerce.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"t.paypal.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"use.typekit.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"vimeo.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.google-analytics.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.googleadservices.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"pay.google.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.paypal.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.youtube.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"font-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.monzo.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"child-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"base-uri","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"object-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"img-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"manifest-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"media-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.paypal.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"form-action","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.arcot.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"frame-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.touchtechpayments.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.wirecard.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.wlp-acs.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.adobe.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.braintreegateway.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.cardinalcommerce.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.google.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"form-action","source":"*.cardinalcommerce.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.youtube-nocookie.com","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"connect-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]}]