[{"id":"69334e76e378862f9ebd2c69","ts":"2025-12-05T21:28:22.656Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://www.libertymedia.com/about/company-history","isHidden":false,"parsedPolicy":{"policy":"frame-ancestors self https://www.libertymedia.com; default-src *.gstatic.com widget.usersnap.com *.amazonaws.com/upload.usersnap.com ir.stockpr.com www.libertymedia.com d1io3yog0oux5.cloudfront.net *.equisolve-dev.com *.equisolve.net; script-src *.quotemedia.com *.google.com *.google-analytics.com *.gstatic.com *.googletagmanager.com *.hcaptcha.com hcaptcha.com player.vimeo.com widget.usersnap.com resources.usersnap.com ir.stockpr.com www.libertymedia.com d1io3yog0oux5.cloudfront.net *.equisolve-dev.com *.equisolve.net 'unsafe-inline'; connect-src *.quotemedia.com *.google.com *.google-analytics.com *.gstatic.com *.googletagmanager.com *.hcaptcha.com hcaptcha.com player.vimeo.com widget.usersnap.com resources.usersnap.com ir.stockpr.com www.libertymedia.com d1io3yog0oux5.cloudfront.net *.equisolve-dev.com *.equisolve.net 'unsafe-inline'; style-src fonts.googleapis.com *.gstatic.com *.hcaptcha.com hcaptcha.com *.quotemedia.com ir.stockpr.com www.libertymedia.com d1io3yog0oux5.cloudfront.net *.equisolve-dev.com *.equisolve.net 'unsafe-inline'; font-src cdnjs.cloudflare.com/ajax/libs/font-awesome/ fonts.googleapis.com *.gstatic.com ir.stockpr.com www.libertymedia.com d1io3yog0oux5.cloudfront.net *.equisolve-dev.com *.equisolve.net; img-src d32z8e2q3dzvu4.cloudfront.net i.vimeocdn.com resources.usersnap.com ir.stockpr.com www.libertymedia.com d1io3yog0oux5.cloudfront.net *.equisolve-dev.com *.equisolve.net; frame-src *.google.com www.youtube.com youtube-nocookie.com vimeo.com *.hcaptcha.com hcaptcha.com player.vimeo.com youtube.com ir.stockpr.com www.libertymedia.com d1io3yog0oux5.cloudfront.net *.equisolve-dev.com *.equisolve.net; object-src *.gstatic.com widget.usersnap.com *.amazonaws.com/upload.usersnap.com ir.stockpr.com www.libertymedia.com d1io3yog0oux5.cloudfront.net *.equisolve-dev.com *.equisolve.net;","directives":{"connect-src":["'unsafe-inline'","*.equisolve-dev.com","*.equisolve.net","*.google-analytics.com","*.google.com","*.googletagmanager.com","*.gstatic.com","*.hcaptcha.com","*.quotemedia.com","d1io3yog0oux5.cloudfront.net","hcaptcha.com","ir.stockpr.com","player.vimeo.com","resources.usersnap.com","widget.usersnap.com","www.libertymedia.com"],"default-src":["*.amazonaws.com/upload.usersnap.com","*.equisolve-dev.com","*.equisolve.net","*.gstatic.com","d1io3yog0oux5.cloudfront.net","ir.stockpr.com","widget.usersnap.com","www.libertymedia.com"],"font-src":["*.equisolve-dev.com","*.equisolve.net","*.gstatic.com","cdnjs.cloudflare.com/ajax/libs/font-awesome/","d1io3yog0oux5.cloudfront.net","fonts.googleapis.com","ir.stockpr.com","www.libertymedia.com"],"frame-ancestors":["https://www.libertymedia.com","self"],"frame-src":["*.equisolve-dev.com","*.equisolve.net","*.google.com","*.hcaptcha.com","d1io3yog0oux5.cloudfront.net","hcaptcha.com","ir.stockpr.com","player.vimeo.com","vimeo.com","www.libertymedia.com","www.youtube.com","youtube-nocookie.com","youtube.com"],"img-src":["*.equisolve-dev.com","*.equisolve.net","d1io3yog0oux5.cloudfront.net","d32z8e2q3dzvu4.cloudfront.net","i.vimeocdn.com","ir.stockpr.com","resources.usersnap.com","www.libertymedia.com"],"object-src":["*.amazonaws.com/upload.usersnap.com","*.equisolve-dev.com","*.equisolve.net","*.gstatic.com","d1io3yog0oux5.cloudfront.net","ir.stockpr.com","widget.usersnap.com","www.libertymedia.com"],"script-src":["'unsafe-inline'","*.equisolve-dev.com","*.equisolve.net","*.google-analytics.com","*.google.com","*.googletagmanager.com","*.gstatic.com","*.hcaptcha.com","*.quotemedia.com","d1io3yog0oux5.cloudfront.net","hcaptcha.com","ir.stockpr.com","player.vimeo.com","resources.usersnap.com","widget.usersnap.com","www.libertymedia.com"],"style-src":["'unsafe-inline'","*.equisolve-dev.com","*.equisolve.net","*.gstatic.com","*.hcaptcha.com","*.quotemedia.com","d1io3yog0oux5.cloudfront.net","fonts.googleapis.com","hcaptcha.com","ir.stockpr.com","www.libertymedia.com"]},"directiveOrder":["frame-ancestors","default-src","script-src","connect-src","style-src","font-src","img-src","frame-src","object-src"],"disposition":"enforce","delivery":"header","sourceMapping":{"'unsafe-inline'":"keyword-source","*.amazonaws.com/upload.usersnap.com":"host-source","*.equisolve-dev.com":"host-source","*.equisolve.net":"host-source","*.google-analytics.com":"host-source","*.google.com":"host-source","*.googletagmanager.com":"host-source","*.gstatic.com":"host-source","*.hcaptcha.com":"host-source","*.quotemedia.com":"host-source","cdnjs.cloudflare.com/ajax/libs/font-awesome/":"host-source","d1io3yog0oux5.cloudfront.net":"host-source","d32z8e2q3dzvu4.cloudfront.net":"host-source","fonts.googleapis.com":"host-source","hcaptcha.com":"host-source","https://www.libertymedia.com":"host-source","i.vimeocdn.com":"host-source","ir.stockpr.com":"host-source","player.vimeo.com":"host-source","resources.usersnap.com":"host-source","self":"keyword-source","vimeo.com":"host-source","widget.usersnap.com":"host-source","www.libertymedia.com":"host-source","www.youtube.com":"host-source","youtube-nocookie.com":"host-source","youtube.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src *.amazonaws.com/upload.usersnap.com *.equisolve-dev.com *.equisolve.net *.gstatic.com d1io3yog0oux5.cloudfront.net ir.stockpr.com widget.usersnap.com www.libertymedia.com; script-src 'unsafe-inline' *.equisolve-dev.com *.equisolve.net *.google-analytics.com *.google.com *.googletagmanager.com *.gstatic.com *.hcaptcha.com *.quotemedia.com d1io3yog0oux5.cloudfront.net hcaptcha.com ir.stockpr.com player.vimeo.com resources.usersnap.com widget.usersnap.com www.libertymedia.com; style-src 'unsafe-inline' *.equisolve-dev.com *.equisolve.net *.gstatic.com *.hcaptcha.com *.quotemedia.com d1io3yog0oux5.cloudfront.net fonts.googleapis.com hcaptcha.com ir.stockpr.com www.libertymedia.com; object-src *.amazonaws.com/upload.usersnap.com *.equisolve-dev.com *.equisolve.net *.gstatic.com d1io3yog0oux5.cloudfront.net ir.stockpr.com widget.usersnap.com www.libertymedia.com; connect-src 'unsafe-inline' *.equisolve-dev.com *.equisolve.net *.google-analytics.com *.google.com *.googletagmanager.com *.gstatic.com *.hcaptcha.com *.quotemedia.com d1io3yog0oux5.cloudfront.net hcaptcha.com ir.stockpr.com player.vimeo.com resources.usersnap.com widget.usersnap.com www.libertymedia.com; font-src *.equisolve-dev.com *.equisolve.net *.gstatic.com cdnjs.cloudflare.com/ajax/libs/font-awesome/ d1io3yog0oux5.cloudfront.net fonts.googleapis.com ir.stockpr.com www.libertymedia.com; frame-ancestors https://www.libertymedia.com 'self'; frame-src *.equisolve-dev.com *.equisolve.net *.google.com *.hcaptcha.com d1io3yog0oux5.cloudfront.net hcaptcha.com ir.stockpr.com player.vimeo.com vimeo.com www.libertymedia.com www.youtube.com youtube-nocookie.com youtube.com; img-src *.equisolve-dev.com *.equisolve.net d1io3yog0oux5.cloudfront.net d32z8e2q3dzvu4.cloudfront.net i.vimeocdn.com ir.stockpr.com resources.usersnap.com www.libertymedia.com;"],"stats":{"totalHigh":1,"totalMedium":29,"totalLow":5,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.amazonaws.com/upload.usersnap.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.equisolve.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.equisolve-dev.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.equisolve.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.google-analytics.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.google.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.googletagmanager.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.gstatic.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.hcaptcha.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.gstatic.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"object-src","source":"*.amazonaws.com/upload.usersnap.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"object-src","source":"*.equisolve-dev.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"object-src","source":"*.equisolve.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"object-src","source":"*.gstatic.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"object-src","source":"www.libertymedia.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.equisolve-dev.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.quotemedia.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"d1io3yog0oux5.cloudfront.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"hcaptcha.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"ir.stockpr.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"player.vimeo.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"resources.usersnap.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"widget.usersnap.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.libertymedia.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"object-src","source":"d1io3yog0oux5.cloudfront.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"object-src","source":"ir.stockpr.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"object-src","source":"widget.usersnap.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"connect-src","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"69334b71d159127ecd9603fd","ts":"2025-12-05T21:15:29.805Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"http://www.yahoo.com","isHidden":false,"parsedPolicy":{"policy":"frame-ancestors 'self' https://*.builtbygirls.com https://*.rivals.com https://*.engadget.com https://*.intheknow.com https://*.autoblog.com https://*.techcrunch.com https://*.yahoo.com https://*.aol.com https://*.huffingtonpost.com https://*.oath.com https://*.search.yahoo.com https://*.pnr.ouryahoo.com https://pnr.ouryahoo.com https://*.search.aol.com https://*.search.huffpost.com https://*.onesearch.com https://*.verizonmedia.com https://*.publishing.oath.com https://cdn.taboola.com https://ads.taboola.com chrome-extension://jdanfkhnfpagoijgfmklhgakdicpnfil; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox allow-presentation allow-top-navigation-by-user-activation; report-uri https://csp.yahoo.com/beacon/csp?src=ats\u0026site=news\u0026region=US\u0026lang=en-US\u0026device=desktop\u0026yrid=6o9nr8tivmg0j\u0026partner=;","directives":{"frame-ancestors":["'self'","chrome-extension://jdanfkhnfpagoijgfmklhgakdicpnfil","https://*.aol.com","https://*.autoblog.com","https://*.builtbygirls.com","https://*.engadget.com","https://*.huffingtonpost.com","https://*.intheknow.com","https://*.oath.com","https://*.onesearch.com","https://*.pnr.ouryahoo.com","https://*.publishing.oath.com","https://*.rivals.com","https://*.search.aol.com","https://*.search.huffpost.com","https://*.search.yahoo.com","https://*.techcrunch.com","https://*.verizonmedia.com","https://*.yahoo.com","https://ads.taboola.com","https://cdn.taboola.com","https://pnr.ouryahoo.com"],"report-uri":["https://csp.yahoo.com/beacon/csp?src=ats\u0026site=news\u0026region=US\u0026lang=en-US\u0026device=desktop\u0026yrid=6o9nr8tivmg0j\u0026partner="],"sandbox":["allow-forms","allow-popups","allow-popups-to-escape-sandbox","allow-presentation","allow-same-origin","allow-scripts","allow-top-navigation-by-user-activation"]},"directiveOrder":["frame-ancestors","sandbox","report-uri"],"disposition":"enforce","delivery":"header","sourceMapping":{"'self'":"keyword-source","allow-forms":"sandbox-source","allow-popups":"sandbox-source","allow-popups-to-escape-sandbox":"sandbox-source","allow-presentation":"sandbox-source","allow-same-origin":"sandbox-source","allow-scripts":"sandbox-source","allow-top-navigation-by-user-activation":"sandbox-source","chrome-extension://jdanfkhnfpagoijgfmklhgakdicpnfil":"host-source","https://*.aol.com":"host-source","https://*.autoblog.com":"host-source","https://*.builtbygirls.com":"host-source","https://*.engadget.com":"host-source","https://*.huffingtonpost.com":"host-source","https://*.intheknow.com":"host-source","https://*.oath.com":"host-source","https://*.onesearch.com":"host-source","https://*.pnr.ouryahoo.com":"host-source","https://*.publishing.oath.com":"host-source","https://*.rivals.com":"host-source","https://*.search.aol.com":"host-source","https://*.search.huffpost.com":"host-source","https://*.search.yahoo.com":"host-source","https://*.techcrunch.com":"host-source","https://*.verizonmedia.com":"host-source","https://*.yahoo.com":"host-source","https://ads.taboola.com":"host-source","https://cdn.taboola.com":"host-source","https://csp.yahoo.com/beacon/csp?src=ats\u0026site=news\u0026region=US\u0026lang=en-US\u0026device=desktop\u0026yrid=6o9nr8tivmg0j\u0026partner=":"host-source","https://pnr.ouryahoo.com":"host-source"}},"disposition":"enforce","source":"header","policies":["frame-ancestors 'self' chrome-extension://jdanfkhnfpagoijgfmklhgakdicpnfil https://*.aol.com https://*.autoblog.com https://*.builtbygirls.com https://*.engadget.com https://*.huffingtonpost.com https://*.intheknow.com https://*.oath.com https://*.onesearch.com https://*.pnr.ouryahoo.com https://*.publishing.oath.com https://*.rivals.com https://*.search.aol.com https://*.search.huffpost.com https://*.search.yahoo.com https://*.techcrunch.com https://*.verizonmedia.com https://*.yahoo.com https://ads.taboola.com https://cdn.taboola.com https://pnr.ouryahoo.com; report-uri https://csp.yahoo.com/beacon/csp?src=ats\u0026site=news\u0026region=US\u0026lang=en-US\u0026device=desktop\u0026yrid=6o9nr8tivmg0j\u0026partner=; sandbox allow-forms allow-popups allow-popups-to-escape-sandbox allow-presentation allow-same-origin allow-scripts allow-top-navigation-by-user-activation;"],"stats":{"totalHigh":2,"totalMedium":1,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing script-src (no default src)","severity":"HIGH","directive":"script","source":"","message":"script-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set script-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"sandbox","source":"allow-popups-to-escape-sandbox","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"69334b0ee378862f9ebd2c5f","ts":"2025-12-05T21:13:50.427Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://www.google.com","isHidden":false,"parsedPolicy":{"policy":"object-src 'none';base-uri 'self';script-src 'nonce-2ylWHvGgjyvBsClf1OaqdA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp","directives":{"base-uri":["'self'"],"object-src":["'none'"],"report-uri":["https://csp.withgoogle.com/csp/gws/other-hp"],"script-src":["'nonce-2ylWHvGgjyvBsClf1OaqdA'","'report-sample'","'strict-dynamic'","'unsafe-eval'","'unsafe-inline'","http:","https:"]},"directiveOrder":["object-src","base-uri","script-src","report-uri"],"disposition":"report","delivery":"header","sourceMapping":{"'nonce-2ylWHvGgjyvBsClf1OaqdA'":"nonce-source","'none'":"keyword-source","'report-sample'":"keyword-source","'self'":"keyword-source","'strict-dynamic'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","http:":"scheme-source","https:":"scheme-source","https://csp.withgoogle.com/csp/gws/other-hp":"host-source"}},"disposition":"report","source":"header","policies":["script-src 'nonce-2ylWHvGgjyvBsClf1OaqdA' 'report-sample' 'strict-dynamic' 'unsafe-eval' 'unsafe-inline' http: https:; object-src 'none'; base-uri 'self'; report-uri https://csp.withgoogle.com/csp/gws/other-hp;"],"stats":{"totalHigh":2,"totalMedium":2,"totalLow":2,"totalInfo":1},"recommendations":[{"title":"Usage of permissive scheme-source in sensitive directive","severity":"HIGH","directive":"script-src","source":"http:","message":"Using an unsafe scheme/source in a sensitive directive bypasses the primary benefit of CSP.","recommendation":"Remove the unsafe source/scheme","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of permissive scheme-source in sensitive directive","severity":"HIGH","directive":"script-src","source":"https:","message":"Using an unsafe scheme/source in a sensitive directive bypasses the primary benefit of CSP.","recommendation":"Remove the unsafe source/scheme","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Non-encrypted loading of external assets (http: / ws:)","severity":"MEDIUM","directive":"script-src","source":"http:","message":"Allowing content over insecure channels can allow allow snooping and tampering of data","recommendation":"Ensure that all content is loaded over secure channels. Remove http: and ws:","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"unsafe-inline is ignored when using nonces or hashes as a source","severity":"INFO","directive":"script-src","source":"unsafe-inline","message":"The usage of nonces and hashes means the policy ignores unsafe-inline. This can impact usability if you haven't whitelisted all inline script","recommendation":"","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"69332fe603e177f52dcf1207","ts":"2025-12-05T19:17:58.957Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://api.moneypay.com.tr/pf-checkout/money_pay_logo.svg$","isHidden":false,"parsedPolicy":{"policy":"script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: https://www.googletagmanager.com https://www.gstatic.com hidden https://www.google-analytics.com https://goguvenliodeme.bkm.com.tr https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.googleadservices.com https://www.googleadservices.com ssl.google-analytics.com www.googleadservices.com https://connect.faebook.net/en_US/*;   connect-src 'self' www.google-analytics.com firebase.googleapis.com firebaseinstallations.googleapis.com firebaseremoteconfig.googleapis.com fonts.gstatic.com www.gstatic.com mp-sdk.masterpassturkiye.com;  report-uri https://api.moneypay.com.tr/fwb_csprp?tkcsp=MTc2Mjk1NDMwNfInJs3xV95ncYxKnusWlDuGXeQeFC0_MpSFATi_XSrjWoI64ViELnW2RUJSLNO80g--","directives":{"connect-src":["'self'","firebase.googleapis.com","firebaseinstallations.googleapis.com","firebaseremoteconfig.googleapis.com","fonts.gstatic.com","mp-sdk.masterpassturkiye.com","www.google-analytics.com","www.gstatic.com"],"report-uri":["https://api.moneypay.com.tr/fwb_csprp?tkcsp=MTc2Mjk1NDMwNfInJs3xV95ncYxKnusWlDuGXeQeFC0_MpSFATi_XSrjWoI64ViELnW2RUJSLNO80g--"],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'","blob:","hidden","https://connect.faebook.net/en_US/*","https://goguvenliodeme.bkm.com.tr","https://www.google-analytics.com","https://www.google.com/recaptcha/","https://www.googleadservices.com","https://www.googleadservices.com","https://www.googletagmanager.com","https://www.gstatic.com","https://www.gstatic.com/recaptcha/","ssl.google-analytics.com","www.googleadservices.com"]},"directiveOrder":["script-src","connect-src","report-uri"],"disposition":"enforce","delivery":"header","sourceMapping":{"'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","blob:":"scheme-source","firebase.googleapis.com":"host-source","firebaseinstallations.googleapis.com":"host-source","firebaseremoteconfig.googleapis.com":"host-source","fonts.gstatic.com":"host-source","hidden":"host-source","https://api.moneypay.com.tr/fwb_csprp?tkcsp=MTc2Mjk1NDMwNfInJs3xV95ncYxKnusWlDuGXeQeFC0_MpSFATi_XSrjWoI64ViELnW2RUJSLNO80g--":"host-source","https://connect.faebook.net/en_US/*":"host-source","https://goguvenliodeme.bkm.com.tr":"host-source","https://www.google-analytics.com":"host-source","https://www.google.com/recaptcha/":"host-source","https://www.googleadservices.com":"host-source","https://www.googletagmanager.com":"host-source","https://www.gstatic.com":"host-source","https://www.gstatic.com/recaptcha/":"host-source","mp-sdk.masterpassturkiye.com":"host-source","ssl.google-analytics.com":"host-source","www.google-analytics.com":"host-source","www.googleadservices.com":"host-source","www.gstatic.com":"host-source"}},"disposition":"enforce","source":"header","policies":["script-src 'self' 'unsafe-eval' 'unsafe-inline' blob: hidden https://connect.faebook.net/en_US/* https://goguvenliodeme.bkm.com.tr https://www.google-analytics.com https://www.google.com/recaptcha/ https://www.googleadservices.com https://www.googletagmanager.com https://www.gstatic.com https://www.gstatic.com/recaptcha/ ssl.google-analytics.com www.googleadservices.com; connect-src 'self' firebase.googleapis.com firebaseinstallations.googleapis.com firebaseremoteconfig.googleapis.com fonts.gstatic.com mp-sdk.masterpassturkiye.com www.google-analytics.com www.gstatic.com; report-uri https://api.moneypay.com.tr/fwb_csprp?tkcsp=MTc2Mjk1NDMwNfInJs3xV95ncYxKnusWlDuGXeQeFC0_MpSFATi_XSrjWoI64ViELnW2RUJSLNO80g--;"],"stats":{"totalHigh":2,"totalMedium":11,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.googleadservices.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.googletagmanager.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://connect.faebook.net/en_US/*","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"hidden","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://goguvenliodeme.bkm.com.tr","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.google-analytics.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.gstatic.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"ssl.google-analytics.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.googleadservices.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"script-src","source":"https://www.gstatic.com/recaptcha/","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6933286c540b3b52a15a12c2","ts":"2025-12-05T18:46:04.749Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://www.brooksihl.org/","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.google.com https://*.gstatic.com https://www.google-analytics.com https://www.googletagmanager.com https://ajax.googleapis.com https://cdn.jsdelivr.net https://use.fontawesome.com https://acsbapp.com https://*.acsbapp.com https://www.eventbrite.com; worker-src 'self' blob:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net https://use.fontawesome.com; font-src 'self' https://fonts.gstatic.com https://use.fontawesome.com data:; img-src 'self' data: https:; connect-src 'self' https://www.google-analytics.com https://www.googletagmanager.com https://acsbapp.com https://*.acsbapp.com https://www.eventbrite.com; frame-src 'self' https://*.google.com https://*.gstatic.com https://www.eventbrite.com https://www.youtube.com; object-src 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests; frame-ancestors 'self';","directives":{"base-uri":["'self'"],"connect-src":["'self'","https://*.acsbapp.com","https://acsbapp.com","https://www.eventbrite.com","https://www.google-analytics.com","https://www.googletagmanager.com"],"default-src":["'self'"],"font-src":["'self'","data:","https://fonts.gstatic.com","https://use.fontawesome.com"],"form-action":["'self'"],"frame-ancestors":["'self'"],"frame-src":["'self'","https://*.google.com","https://*.gstatic.com","https://www.eventbrite.com","https://www.youtube.com"],"img-src":["'self'","data:","https:"],"object-src":["'none'"],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'","https://*.acsbapp.com","https://*.google.com","https://*.gstatic.com","https://acsbapp.com","https://ajax.googleapis.com","https://cdn.jsdelivr.net","https://use.fontawesome.com","https://www.eventbrite.com","https://www.google-analytics.com","https://www.googletagmanager.com"],"style-src":["'self'","'unsafe-inline'","https://cdn.jsdelivr.net","https://fonts.googleapis.com","https://use.fontawesome.com"],"upgrade-insecure-requests":[],"worker-src":["'self'","blob:"]},"directiveOrder":["default-src","script-src","worker-src","style-src","font-src","img-src","connect-src","frame-src","object-src","base-uri","form-action","upgrade-insecure-requests","frame-ancestors"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","blob:":"scheme-source","data:":"scheme-source","https:":"scheme-source","https://*.acsbapp.com":"host-source","https://*.google.com":"host-source","https://*.gstatic.com":"host-source","https://acsbapp.com":"host-source","https://ajax.googleapis.com":"host-source","https://cdn.jsdelivr.net":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://use.fontawesome.com":"host-source","https://www.eventbrite.com":"host-source","https://www.google-analytics.com":"host-source","https://www.googletagmanager.com":"host-source","https://www.youtube.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://*.acsbapp.com https://*.google.com https://*.gstatic.com https://acsbapp.com https://ajax.googleapis.com https://cdn.jsdelivr.net https://use.fontawesome.com https://www.eventbrite.com https://www.google-analytics.com https://www.googletagmanager.com; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://use.fontawesome.com; object-src 'none'; base-uri 'self'; connect-src 'self' https://*.acsbapp.com https://acsbapp.com https://www.eventbrite.com https://www.google-analytics.com https://www.googletagmanager.com; font-src 'self' data: https://fonts.gstatic.com https://use.fontawesome.com; form-action 'self'; frame-ancestors 'self'; frame-src 'self' https://*.google.com https://*.gstatic.com https://www.eventbrite.com https://www.youtube.com; img-src 'self' data: https:; upgrade-insecure-requests ; worker-src 'self' blob:;"],"stats":{"totalHigh":1,"totalMedium":12,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdn.jsdelivr.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.google-analytics.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.acsbapp.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.google.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.gstatic.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://acsbapp.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://use.fontawesome.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://ajax.googleapis.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.eventbrite.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.googletagmanager.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6933215103e177f52dcf11f6","ts":"2025-12-05T18:15:45.951Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://give.metrofamily.org/","isHidden":false,"parsedPolicy":{"policy":"upgrade-insecure-requests;","directives":{"upgrade-insecure-requests":[]},"directiveOrder":["upgrade-insecure-requests"],"disposition":"enforce","delivery":"header","sourceMapping":{}},"disposition":"enforce","source":"header","policies":["upgrade-insecure-requests ;"],"stats":{"totalHigh":2,"totalMedium":2,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing script-src (no default src)","severity":"HIGH","directive":"script","source":"","message":"script-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set script-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"69331f0a540b3b52a15a12bf","ts":"2025-12-05T18:06:02.937Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://affinity-website-wp-production.d350v9he0t80g.eu-west-2.cs.amazonlightsail.com/","isHidden":false,"parsedPolicy":{"policy":"default-src self; script-src report-sample self https://assets.calendly.com/assets/external/widget.js https://cc.cdn.civiccomputing.com/9/cookieControl-9.x.min.js https://www.googletagmanager.com/gtm.js; style-src report-sample self; object-src none; base-uri self; connect-src self https://region1.google-analytics.com; font-src self; frame-src self; img-src self https://affinity-wp-production-storage.s3.eu-west-2.amazonaws.com https://secure.gravatar.com; manifest-src self; media-src self; worker-src none;","directives":{"base-uri":["self"],"connect-src":["https://region1.google-analytics.com","self"],"default-src":["self"],"font-src":["self"],"frame-src":["self"],"img-src":["https://affinity-wp-production-storage.s3.eu-west-2.amazonaws.com","https://secure.gravatar.com","self"],"manifest-src":["self"],"media-src":["self"],"object-src":["none"],"script-src":["https://assets.calendly.com/assets/external/widget.js","https://cc.cdn.civiccomputing.com/9/cookieControl-9.x.min.js","https://www.googletagmanager.com/gtm.js","report-sample","self"],"style-src":["report-sample","self"],"worker-src":["none"]},"directiveOrder":["default-src","script-src","style-src","object-src","base-uri","connect-src","font-src","frame-src","img-src","manifest-src","media-src","worker-src"],"disposition":"report","delivery":"header","sourceMapping":{"https://affinity-wp-production-storage.s3.eu-west-2.amazonaws.com":"host-source","https://assets.calendly.com/assets/external/widget.js":"host-source","https://cc.cdn.civiccomputing.com/9/cookieControl-9.x.min.js":"host-source","https://region1.google-analytics.com":"host-source","https://secure.gravatar.com":"host-source","https://www.googletagmanager.com/gtm.js":"host-source","none":"keyword-source","report-sample":"keyword-source","self":"keyword-source"}},"disposition":"report","source":"header","policies":["default-src 'self'; script-src https://assets.calendly.com/assets/external/widget.js https://cc.cdn.civiccomputing.com/9/cookieControl-9.x.min.js https://www.googletagmanager.com/gtm.js 'report-sample' 'self'; style-src 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src https://region1.google-analytics.com 'self'; font-src 'self'; frame-src 'self'; img-src https://affinity-wp-production-storage.s3.eu-west-2.amazonaws.com https://secure.gravatar.com 'self'; manifest-src 'self'; media-src 'self'; worker-src 'none';"],"stats":{"totalHigh":0,"totalMedium":1,"totalLow":1,"totalInfo":0},"recommendations":[{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"}]},{"id":"6932eef7540b3b52a15a12ae","ts":"2025-12-05T14:40:55.884Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://reporting.pearsonvue.com/MicroStrategy/servlet/mstrWeb","isHidden":false,"parsedPolicy":{"policy":"base-uri 'self'; default-src 'self'; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; style-src 'self' 'unsafe-inline' 'unsafe-eval' blob: https:; connect-src 'self' * ws: wss: blob:; worker-src 'self' * data: blob:; font-src 'self' * data: blob:; frame-src 'self' * data: blob: about: mailto: mstrapp: dossier:; img-src 'self' * data: blob: about:; media-src 'self' * data: blob: rtsp: rtmp:; child-src 'self' * data: blob:; form-action 'self';","directives":{"base-uri":["'self'"],"child-src":["'self'","*","blob:","data:"],"connect-src":["'self'","*","blob:","ws:","wss:"],"default-src":["'self'"],"font-src":["'self'","*","blob:","data:"],"form-action":["'self'"],"frame-src":["'self'","*","about:","blob:","data:","dossier:","mailto:","mstrapp:"],"img-src":["'self'","*","about:","blob:","data:"],"media-src":["'self'","*","blob:","data:","rtmp:","rtsp:"],"object-src":["'self'"],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'","https:"],"style-src":["'self'","'unsafe-eval'","'unsafe-inline'","blob:","https:"],"worker-src":["'self'","*","blob:","data:"]},"directiveOrder":["base-uri","default-src","object-src","script-src","style-src","connect-src","worker-src","font-src","frame-src","img-src","media-src","child-src","form-action"],"disposition":"enforce","delivery":"header","sourceMapping":{"'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","*":"host-source","about:":"scheme-source","blob:":"scheme-source","data:":"scheme-source","dossier:":"scheme-source","https:":"scheme-source","mailto:":"scheme-source","mstrapp:":"scheme-source","rtmp:":"scheme-source","rtsp:":"scheme-source","ws:":"scheme-source","wss:":"scheme-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https:; style-src 'self' 'unsafe-eval' 'unsafe-inline' blob: https:; object-src 'self'; base-uri 'self'; child-src 'self' * blob: data:; connect-src 'self' * blob: ws: wss:; font-src 'self' * blob: data:; form-action 'self'; frame-src 'self' * about: blob: data: dossier: mailto: mstrapp:; img-src 'self' * about: blob: data:; media-src 'self' * blob: data: rtmp: rtsp:; worker-src 'self' * blob: data:;"],"stats":{"totalHigh":2,"totalMedium":3,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of permissive scheme-source in sensitive directive","severity":"HIGH","directive":"script-src","source":"https:","message":"Using an unsafe scheme/source in a sensitive directive bypasses the primary benefit of CSP.","recommendation":"Remove the unsafe source/scheme","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Non-encrypted loading of external assets (http: / ws:)","severity":"MEDIUM","directive":"connect-src","source":"ws:","message":"Allowing content over insecure channels can allow allow snooping and tampering of data","recommendation":"Ensure that all content is loaded over secure channels. Remove http: and ws:","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6932ed0703e177f52dcf11de","ts":"2025-12-05T14:32:39.869Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://golfkar-huren.nl/","isHidden":false,"parsedPolicy":{"policy":"img-src data: 'self' https://dc.ads.linkedin.com https://*.googleapis.com https://maps.gstatic.com/ https://*.tile.openstreetmap.org https://*.google-analytics.com https://*.cookiefirst.com https://platform-cdn.sharethis.com/ https://*.tawk.to https://www.google.com https://www.google.nl https://www.facebook.com https://tawk.link https://*.amazonaws.com https://www.googletagmanager.com;frame-src https://consentcdn.cookiebot.com https://www.youtube.com https://www.youtube-nocookie.com https://www.googletagmanager.com https://www.facebook.com https://player.vimeo.com https://*.cookiefirst.com https://app.springcast.fm https://open.spotify.com/ https://*.tawk.to https://td.doubleclick.net;script-src 'nonce-pzdJKjZYNL+eKYaR9U7r' 'strict-dynamic';style-src 'unsafe-inline' 'self' https://fonts.googleapis.com https://*.cookiefirst.com https://*.tawk.to;font-src 'self' https://fonts.gstatic.com https://*.tawk.to;connect-src 'self' https://*.google-analytics.com https://api.leadinfo.com https://collector.leadinfo.net https://consentcdn.cookiebot.com https://*.googleapis.com https://nominatim.openstreetmap.org https://*.cookiefirst.com https://*.tawk.to https://*.leadinfo.net https://www.google.com https://www.google.nl wss://*.tawk.to https://*.hotjar.io wss://ws.hotjar.com https://region1.analytics.google.com;default-src 'self'","directives":{"connect-src":["'self'","https://*.cookiefirst.com","https://*.google-analytics.com","https://*.googleapis.com","https://*.hotjar.io","https://*.leadinfo.net","https://*.tawk.to","https://api.leadinfo.com","https://collector.leadinfo.net","https://consentcdn.cookiebot.com","https://nominatim.openstreetmap.org","https://region1.analytics.google.com","https://www.google.com","https://www.google.nl","wss://*.tawk.to","wss://ws.hotjar.com"],"default-src":["'self'"],"font-src":["'self'","https://*.tawk.to","https://fonts.gstatic.com"],"frame-src":["https://*.cookiefirst.com","https://*.tawk.to","https://app.springcast.fm","https://consentcdn.cookiebot.com","https://open.spotify.com/","https://player.vimeo.com","https://td.doubleclick.net","https://www.facebook.com","https://www.googletagmanager.com","https://www.youtube-nocookie.com","https://www.youtube.com"],"img-src":["'self'","data:","https://*.amazonaws.com","https://*.cookiefirst.com","https://*.google-analytics.com","https://*.googleapis.com","https://*.tawk.to","https://*.tile.openstreetmap.org","https://dc.ads.linkedin.com","https://maps.gstatic.com/","https://platform-cdn.sharethis.com/","https://tawk.link","https://www.facebook.com","https://www.google.com","https://www.google.nl","https://www.googletagmanager.com"],"script-src":["'nonce-pzdJKjZYNL+eKYaR9U7r'","'strict-dynamic'"],"style-src":["'self'","'unsafe-inline'","https://*.cookiefirst.com","https://*.tawk.to","https://fonts.googleapis.com"]},"directiveOrder":["img-src","frame-src","script-src","style-src","font-src","connect-src","default-src"],"disposition":"enforce","delivery":"header","sourceMapping":{"'nonce-pzdJKjZYNL+eKYaR9U7r'":"nonce-source","'self'":"keyword-source","'strict-dynamic'":"keyword-source","'unsafe-inline'":"keyword-source","data:":"scheme-source","https://*.amazonaws.com":"host-source","https://*.cookiefirst.com":"host-source","https://*.google-analytics.com":"host-source","https://*.googleapis.com":"host-source","https://*.hotjar.io":"host-source","https://*.leadinfo.net":"host-source","https://*.tawk.to":"host-source","https://*.tile.openstreetmap.org":"host-source","https://api.leadinfo.com":"host-source","https://app.springcast.fm":"host-source","https://collector.leadinfo.net":"host-source","https://consentcdn.cookiebot.com":"host-source","https://dc.ads.linkedin.com":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://maps.gstatic.com/":"host-source","https://nominatim.openstreetmap.org":"host-source","https://open.spotify.com/":"host-source","https://platform-cdn.sharethis.com/":"host-source","https://player.vimeo.com":"host-source","https://region1.analytics.google.com":"host-source","https://tawk.link":"host-source","https://td.doubleclick.net":"host-source","https://www.facebook.com":"host-source","https://www.google.com":"host-source","https://www.google.nl":"host-source","https://www.googletagmanager.com":"host-source","https://www.youtube-nocookie.com":"host-source","https://www.youtube.com":"host-source","wss://*.tawk.to":"host-source","wss://ws.hotjar.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'nonce-pzdJKjZYNL+eKYaR9U7r' 'strict-dynamic'; style-src 'self' 'unsafe-inline' https://*.cookiefirst.com https://*.tawk.to https://fonts.googleapis.com; connect-src 'self' https://*.cookiefirst.com https://*.google-analytics.com https://*.googleapis.com https://*.hotjar.io https://*.leadinfo.net https://*.tawk.to https://api.leadinfo.com https://collector.leadinfo.net https://consentcdn.cookiebot.com https://nominatim.openstreetmap.org https://region1.analytics.google.com https://www.google.com https://www.google.nl wss://*.tawk.to wss://ws.hotjar.com; font-src 'self' https://*.tawk.to https://fonts.gstatic.com; frame-src https://*.cookiefirst.com https://*.tawk.to https://app.springcast.fm https://consentcdn.cookiebot.com https://open.spotify.com/ https://player.vimeo.com https://td.doubleclick.net https://www.facebook.com https://www.googletagmanager.com https://www.youtube-nocookie.com https://www.youtube.com; img-src 'self' data: https://*.amazonaws.com https://*.cookiefirst.com https://*.google-analytics.com https://*.googleapis.com https://*.tawk.to https://*.tile.openstreetmap.org https://dc.ads.linkedin.com https://maps.gstatic.com/ https://platform-cdn.sharethis.com/ https://tawk.link https://www.facebook.com https://www.google.com https://www.google.nl https://www.googletagmanager.com;"],"stats":{"totalHigh":0,"totalMedium":3,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Missing object-src (with non-restrictive default-src)","severity":"MEDIUM","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6932e1a2540b3b52a15a129d","ts":"2025-12-05T13:44:02.144Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://pc319388doit-locations-americaneagle-com-bh.preview.pagescdn.com/","isHidden":false,"parsedPolicy":{"policy":"default-src 'self';base-uri 'none'; form-action 'none'; object-src 'none';font-src 'self' https://fonts.gstatic.com data:;img-src 'self' https://*.mktgcdn.com https://maps.googleapis.com https://maps.gstatic.com data:;script-src 'self' 'unsafe-inline' https://maps.googleapis.com https://maps.gstatic.com https://www.googletagmanager.com https://www.google-analytics.com https://analytics.tiktok.com https://sc-static.net https://connect.facebook.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;connect-src 'self' https://*.yextapis.com https://maps.googleapis.com https://analytics.tiktok.com;","directives":{"base-uri":["'none'"],"connect-src":["'self'","https://*.yextapis.com","https://analytics.tiktok.com","https://maps.googleapis.com"],"default-src":["'self'"],"font-src":["'self'","data:","https://fonts.gstatic.com"],"form-action":["'none'"],"img-src":["'self'","data:","https://*.mktgcdn.com","https://maps.googleapis.com","https://maps.gstatic.com"],"object-src":["'none'"],"script-src":["'self'","'unsafe-inline'","https://analytics.tiktok.com","https://connect.facebook.net","https://maps.googleapis.com","https://maps.gstatic.com","https://sc-static.net","https://www.google-analytics.com","https://www.googletagmanager.com"],"style-src":["'self'","'unsafe-inline'","https://fonts.googleapis.com"]},"directiveOrder":["default-src","base-uri","form-action","object-src","font-src","img-src","script-src","style-src","connect-src"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-inline'":"keyword-source","data:":"scheme-source","https://*.mktgcdn.com":"host-source","https://*.yextapis.com":"host-source","https://analytics.tiktok.com":"host-source","https://connect.facebook.net":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://maps.googleapis.com":"host-source","https://maps.gstatic.com":"host-source","https://sc-static.net":"host-source","https://www.google-analytics.com":"host-source","https://www.googletagmanager.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self' 'unsafe-inline' https://analytics.tiktok.com https://connect.facebook.net https://maps.googleapis.com https://maps.gstatic.com https://sc-static.net https://www.google-analytics.com https://www.googletagmanager.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; object-src 'none'; base-uri 'none'; connect-src 'self' https://*.yextapis.com https://analytics.tiktok.com https://maps.googleapis.com; font-src 'self' data: https://fonts.gstatic.com; form-action 'none'; img-src 'self' data: https://*.mktgcdn.com https://maps.googleapis.com https://maps.gstatic.com;"],"stats":{"totalHigh":1,"totalMedium":8,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://analytics.tiktok.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://connect.facebook.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://maps.googleapis.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://maps.gstatic.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://sc-static.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.google-analytics.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.googletagmanager.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6932e18003e177f52dcf11da","ts":"2025-12-05T13:43:28.319Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://alshayacom-my.sharepoint.com/:p:/g/personal/adil_irshad_alshaya_com/IQAuFRu06r1eSr87dUFDKW0sASelGww0M883YuWzlogUEwY?e=uQiiLa","isHidden":false,"parsedPolicy":{"policy":"object-src 'none'; base-uri 'self'; script-src 'self' 'nonce-4gFN7eF9S_C9sphp5x9Mfg' 'unsafe-inline' 'unsafe-eval' https://*.msauth.net https://*.msftauth.net https://*.msftauthimages.net https://*.msauthimages.net https://*.msidentity.com https://*.microsoftonline-p.com https://*.microsoftazuread-sso.com https://*.azureedge.net https://*.outlook.com https://*.office.com https://*.office365.com https://*.microsoft.com https://*.bing.com 'report-sample'; report-uri https://csp.microsoft.com/report/ESTS-UX-All","directives":{"base-uri":["'self'"],"object-src":["'none'"],"report-uri":["https://csp.microsoft.com/report/ESTS-UX-All"],"script-src":["'nonce-4gFN7eF9S_C9sphp5x9Mfg'","'report-sample'","'self'","'unsafe-eval'","'unsafe-inline'","https://*.azureedge.net","https://*.bing.com","https://*.microsoft.com","https://*.microsoftazuread-sso.com","https://*.microsoftonline-p.com","https://*.msauth.net","https://*.msauthimages.net","https://*.msftauth.net","https://*.msftauthimages.net","https://*.msidentity.com","https://*.office.com","https://*.office365.com","https://*.outlook.com"]},"directiveOrder":["object-src","base-uri","script-src","report-uri"],"disposition":"report","delivery":"header","sourceMapping":{"'nonce-4gFN7eF9S_C9sphp5x9Mfg'":"nonce-source","'none'":"keyword-source","'report-sample'":"keyword-source","'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","https://*.azureedge.net":"host-source","https://*.bing.com":"host-source","https://*.microsoft.com":"host-source","https://*.microsoftazuread-sso.com":"host-source","https://*.microsoftonline-p.com":"host-source","https://*.msauth.net":"host-source","https://*.msauthimages.net":"host-source","https://*.msftauth.net":"host-source","https://*.msftauthimages.net":"host-source","https://*.msidentity.com":"host-source","https://*.office.com":"host-source","https://*.office365.com":"host-source","https://*.outlook.com":"host-source","https://csp.microsoft.com/report/ESTS-UX-All":"host-source"}},"disposition":"report","source":"header","policies":["script-src 'nonce-4gFN7eF9S_C9sphp5x9Mfg' 'report-sample' 'self' 'unsafe-eval' 'unsafe-inline' https://*.azureedge.net https://*.bing.com https://*.microsoft.com https://*.microsoftazuread-sso.com https://*.microsoftonline-p.com https://*.msauth.net https://*.msauthimages.net https://*.msftauth.net https://*.msftauthimages.net https://*.msidentity.com https://*.office.com https://*.office365.com https://*.outlook.com; object-src 'none'; base-uri 'self'; report-uri https://csp.microsoft.com/report/ESTS-UX-All;"],"stats":{"totalHigh":0,"totalMedium":14,"totalLow":2,"totalInfo":1},"recommendations":[{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.msauthimages.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.msftauth.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.azureedge.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.bing.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.microsoft.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.microsoftazuread-sso.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.microsoftonline-p.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.msauth.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.msftauthimages.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.outlook.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.msidentity.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.office.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.office365.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"unsafe-inline is ignored when using nonces or hashes as a source","severity":"INFO","directive":"script-src","source":"unsafe-inline","message":"The usage of nonces and hashes means the policy ignores unsafe-inline. This can impact usability if you haven't whitelisted all inline script","recommendation":"","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6932d772540b3b52a15a128c","ts":"2025-12-05T13:00:34.213Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://dev.corestack.io/auth/login","isHidden":false,"parsedPolicy":{"policy":"frame-ancestors 'none'; default-src 'self' data: 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com/ https://app.powerbi.com/ https://cdn.boldreports.com https://docsbot.ai/ https://api.docsbot.ai/ https://dev-files.corestack.io https://dev.corestack.io/api/ https://cspbi-ssrsweb-dev3.azurewebsites.net/api/ReportViewer/ https://cspbi-ssrsapi-dev3.azurewebsites.net/api/Subscription/ https://cspbi-share-report-webapp-dev3.azurewebsites.net https://cspbi-pbiauth-dev3.azurewebsites.net https://dev-mfa.corestack.io/; connect-src 'self' https://dev-files.corestack.io https://dev.corestack.io/api/ https://cspbi-ssrsweb-dev3.azurewebsites.net/api/ReportViewer/ https://cspbi-ssrsapi-dev3.azurewebsites.net/api/Subscription/ https://cspbi-share-report-webapp-dev3.azurewebsites.net https://cspbi-pbiauth-dev3.azurewebsites.net https://cdn.boldreports.com https://docsbot.ai/ https://api.docsbot.ai/ https://edge.fullstory.com https://fullstory.com https://rs.fullstory.com https://dev-mfa.corestack.io/; object-src 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdn.boldreports.com https://widget.docsbot.ai https://edge.fullstory.com https://fullstory.com https://rs.fullstory.com https://cspbi-ssrsweb-dev3.azurewebsites.net/api/ReportViewer/ https://cspbi-ssrsapi-dev3.azurewebsites.net/api/Subscription/ https://cspbi-pbiauth-dev3.azurewebsites.net https://dev-mfa.corestack.io/client/zRaSmb7Xrgos8CvnApkfdXkbNyTXs9gN.js https://cdn.auth0.com/; img-src * 'self' blob: data:; form-action 'self' https://export.highcharts.com/ https://cspbi-ssrsweb-dev3.azurewebsites.net/api/ReportViewer/ https://cspbi-ssrsapi-dev3.azurewebsites.net/api/Subscription/ https://cspbi-pbiauth-dev3.azurewebsites.net;","directives":{"connect-src":["'self'","https://api.docsbot.ai/","https://cdn.boldreports.com","https://cspbi-pbiauth-dev3.azurewebsites.net","https://cspbi-share-report-webapp-dev3.azurewebsites.net","https://cspbi-ssrsapi-dev3.azurewebsites.net/api/Subscription/","https://cspbi-ssrsweb-dev3.azurewebsites.net/api/ReportViewer/","https://dev-files.corestack.io","https://dev-mfa.corestack.io/","https://dev.corestack.io/api/","https://docsbot.ai/","https://edge.fullstory.com","https://fullstory.com","https://rs.fullstory.com"],"default-src":["'self'","'unsafe-inline'","data:","https://api.docsbot.ai/","https://app.powerbi.com/","https://cdn.boldreports.com","https://cspbi-pbiauth-dev3.azurewebsites.net","https://cspbi-share-report-webapp-dev3.azurewebsites.net","https://cspbi-ssrsapi-dev3.azurewebsites.net/api/Subscription/","https://cspbi-ssrsweb-dev3.azurewebsites.net/api/ReportViewer/","https://dev-files.corestack.io","https://dev-mfa.corestack.io/","https://dev.corestack.io/api/","https://docsbot.ai/","https://fonts.googleapis.com","https://fonts.gstatic.com/"],"form-action":["'self'","https://cspbi-pbiauth-dev3.azurewebsites.net","https://cspbi-ssrsapi-dev3.azurewebsites.net/api/Subscription/","https://cspbi-ssrsweb-dev3.azurewebsites.net/api/ReportViewer/","https://export.highcharts.com/"],"frame-ancestors":["'none'"],"img-src":["'self'","*","blob:","data:"],"object-src":["'none'"],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'","https://cdn.auth0.com/","https://cdn.boldreports.com","https://cspbi-pbiauth-dev3.azurewebsites.net","https://cspbi-ssrsapi-dev3.azurewebsites.net/api/Subscription/","https://cspbi-ssrsweb-dev3.azurewebsites.net/api/ReportViewer/","https://dev-mfa.corestack.io/client/zRaSmb7Xrgos8CvnApkfdXkbNyTXs9gN.js","https://edge.fullstory.com","https://fullstory.com","https://rs.fullstory.com","https://widget.docsbot.ai"]},"directiveOrder":["frame-ancestors","default-src","connect-src","object-src","script-src","img-src","form-action"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","*":"host-source","blob:":"scheme-source","data:":"scheme-source","https://api.docsbot.ai/":"host-source","https://app.powerbi.com/":"host-source","https://cdn.auth0.com/":"host-source","https://cdn.boldreports.com":"host-source","https://cspbi-pbiauth-dev3.azurewebsites.net":"host-source","https://cspbi-share-report-webapp-dev3.azurewebsites.net":"host-source","https://cspbi-ssrsapi-dev3.azurewebsites.net/api/Subscription/":"host-source","https://cspbi-ssrsweb-dev3.azurewebsites.net/api/ReportViewer/":"host-source","https://dev-files.corestack.io":"host-source","https://dev-mfa.corestack.io/":"host-source","https://dev-mfa.corestack.io/client/zRaSmb7Xrgos8CvnApkfdXkbNyTXs9gN.js":"host-source","https://dev.corestack.io/api/":"host-source","https://docsbot.ai/":"host-source","https://edge.fullstory.com":"host-source","https://export.highcharts.com/":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com/":"host-source","https://fullstory.com":"host-source","https://rs.fullstory.com":"host-source","https://widget.docsbot.ai":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self' 'unsafe-inline' data: https://api.docsbot.ai/ https://app.powerbi.com/ https://cdn.boldreports.com https://cspbi-pbiauth-dev3.azurewebsites.net https://cspbi-share-report-webapp-dev3.azurewebsites.net https://cspbi-ssrsapi-dev3.azurewebsites.net/api/Subscription/ https://cspbi-ssrsweb-dev3.azurewebsites.net/api/ReportViewer/ https://dev-files.corestack.io https://dev-mfa.corestack.io/ https://dev.corestack.io/api/ https://docsbot.ai/ https://fonts.googleapis.com https://fonts.gstatic.com/; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdn.auth0.com/ https://cdn.boldreports.com https://cspbi-pbiauth-dev3.azurewebsites.net https://cspbi-ssrsapi-dev3.azurewebsites.net/api/Subscription/ https://cspbi-ssrsweb-dev3.azurewebsites.net/api/ReportViewer/ https://dev-mfa.corestack.io/client/zRaSmb7Xrgos8CvnApkfdXkbNyTXs9gN.js https://edge.fullstory.com https://fullstory.com https://rs.fullstory.com https://widget.docsbot.ai; object-src 'none'; connect-src 'self' https://api.docsbot.ai/ https://cdn.boldreports.com https://cspbi-pbiauth-dev3.azurewebsites.net https://cspbi-share-report-webapp-dev3.azurewebsites.net https://cspbi-ssrsapi-dev3.azurewebsites.net/api/Subscription/ https://cspbi-ssrsweb-dev3.azurewebsites.net/api/ReportViewer/ https://dev-files.corestack.io https://dev-mfa.corestack.io/ https://dev.corestack.io/api/ https://docsbot.ai/ https://edge.fullstory.com https://fullstory.com https://rs.fullstory.com; form-action 'self' https://cspbi-pbiauth-dev3.azurewebsites.net https://cspbi-ssrsapi-dev3.azurewebsites.net/api/Subscription/ https://cspbi-ssrsweb-dev3.azurewebsites.net/api/ReportViewer/ https://export.highcharts.com/; frame-ancestors 'none'; img-src 'self' * blob: data:;"],"stats":{"totalHigh":2,"totalMedium":10,"totalLow":2,"totalInfo":0},"recommendations":[{"title":"Usage of permissive scheme-source in sensitive directive","severity":"HIGH","directive":"default-src","source":"data:","message":"Using an unsafe scheme/source in a sensitive directive bypasses the primary benefit of CSP.","recommendation":"Remove the unsafe source/scheme","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cspbi-pbiauth-dev3.azurewebsites.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdn.auth0.com/","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdn.boldreports.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://edge.fullstory.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://fullstory.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://rs.fullstory.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://widget.docsbot.ai","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6932c8df03e177f52dcf11c5","ts":"2025-12-05T11:58:23.517Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://sandbox.bemagro.com","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'self' https://unpkg.com https://api.mapbox.com; style-src 'self' https://unpkg.com https://api.mapbox.com 'unsafe-inline'; img-src 'self' https://www.bemagro.com https://*.tile.openstreetmap.org https://api.mapbox.com data:; connect-src 'self' https://api.bemagro.com https://idbm06puliar.compat.objectstorage.us-phoenix-1.oci.customer-oci.com https://unpkg.com https://api.mapbox.com https://events.mapbox.com; font-src 'self' https://api.mapbox.com data:; worker-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self';","directives":{"base-uri":["'self'"],"connect-src":["'self'","https://api.bemagro.com","https://api.mapbox.com","https://events.mapbox.com","https://idbm06puliar.compat.objectstorage.us-phoenix-1.oci.customer-oci.com","https://unpkg.com"],"default-src":["'self'"],"font-src":["'self'","data:","https://api.mapbox.com"],"frame-ancestors":["'self'"],"img-src":["'self'","data:","https://*.tile.openstreetmap.org","https://api.mapbox.com","https://www.bemagro.com"],"object-src":["'none'"],"script-src":["'self'","https://api.mapbox.com","https://unpkg.com"],"style-src":["'self'","'unsafe-inline'","https://api.mapbox.com","https://unpkg.com"],"worker-src":["'self'"]},"directiveOrder":["default-src","script-src","style-src","img-src","connect-src","font-src","worker-src","object-src","base-uri","frame-ancestors"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-inline'":"keyword-source","data:":"scheme-source","https://*.tile.openstreetmap.org":"host-source","https://api.bemagro.com":"host-source","https://api.mapbox.com":"host-source","https://events.mapbox.com":"host-source","https://idbm06puliar.compat.objectstorage.us-phoenix-1.oci.customer-oci.com":"host-source","https://unpkg.com":"host-source","https://www.bemagro.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self' https://api.mapbox.com https://unpkg.com; style-src 'self' 'unsafe-inline' https://api.mapbox.com https://unpkg.com; object-src 'none'; base-uri 'self'; connect-src 'self' https://api.bemagro.com https://api.mapbox.com https://events.mapbox.com https://idbm06puliar.compat.objectstorage.us-phoenix-1.oci.customer-oci.com https://unpkg.com; font-src 'self' data: https://api.mapbox.com; frame-ancestors 'self'; img-src 'self' data: https://*.tile.openstreetmap.org https://api.mapbox.com https://www.bemagro.com; worker-src 'self';"],"stats":{"totalHigh":0,"totalMedium":3,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://api.mapbox.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://unpkg.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6932c8cd540b3b52a15a1281","ts":"2025-12-05T11:58:05.906Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://harpo.com.br","isHidden":false,"parsedPolicy":{"policy":"upgrade-insecure-requests;","directives":{"upgrade-insecure-requests":[]},"directiveOrder":["upgrade-insecure-requests"],"disposition":"enforce","delivery":"header","sourceMapping":{}},"disposition":"enforce","source":"header","policies":["upgrade-insecure-requests ;"],"stats":{"totalHigh":2,"totalMedium":2,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing script-src (no default src)","severity":"HIGH","directive":"script","source":"","message":"script-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set script-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6932c7e503e177f52dcf11c0","ts":"2025-12-05T11:54:13.171Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://turbopowerllc.com","isHidden":false,"parsedPolicy":{"policy":"default-src 'none'; script-src 'self' 'nonce-N6vRupwuMbqfp1GpJQUqGw==' https://cdnjs.cloudflare.com https://ajax.googleapis.com https://www.googletagmanager.com https://cdn.datatables.net https://cdn.jsdelivr.net https://code.jquery.com https://www.google.com https://www.gstatic.com; style-src 'self' 'nonce-N6vRupwuMbqfp1GpJQUqGw==' https://fonts.googleapis.com https://cdnjs.cloudflare.com; img-src 'self' data: https://php82.demo-customlinks.com https://*.demo-customlinks.com; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; connect-src 'self' https://ka-f.fontawesome.com https://cdnjs.cloudflare.com https://www.google.com; frame-src 'self' https://www.google.com; frame-ancestors 'self'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content","directives":{"base-uri":["'self'"],"block-all-mixed-content":[],"connect-src":["'self'","https://cdnjs.cloudflare.com","https://ka-f.fontawesome.com","https://www.google.com"],"default-src":["'none'"],"font-src":["'self'","https://cdnjs.cloudflare.com","https://fonts.gstatic.com"],"form-action":["'self'"],"frame-ancestors":["'self'"],"frame-src":["'self'","https://www.google.com"],"img-src":["'self'","data:","https://*.demo-customlinks.com","https://php82.demo-customlinks.com"],"script-src":["'nonce-N6vRupwuMbqfp1GpJQUqGw=='","'self'","https://ajax.googleapis.com","https://cdn.datatables.net","https://cdn.jsdelivr.net","https://cdnjs.cloudflare.com","https://code.jquery.com","https://www.google.com","https://www.googletagmanager.com","https://www.gstatic.com"],"style-src":["'nonce-N6vRupwuMbqfp1GpJQUqGw=='","'self'","https://cdnjs.cloudflare.com","https://fonts.googleapis.com"],"upgrade-insecure-requests":[]},"directiveOrder":["default-src","script-src","style-src","img-src","font-src","connect-src","frame-src","frame-ancestors","base-uri","form-action","upgrade-insecure-requests","block-all-mixed-content"],"disposition":"enforce","delivery":"header","sourceMapping":{"'nonce-N6vRupwuMbqfp1GpJQUqGw=='":"nonce-source","'none'":"keyword-source","'self'":"keyword-source","data:":"scheme-source","https://*.demo-customlinks.com":"host-source","https://ajax.googleapis.com":"host-source","https://cdn.datatables.net":"host-source","https://cdn.jsdelivr.net":"host-source","https://cdnjs.cloudflare.com":"host-source","https://code.jquery.com":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://ka-f.fontawesome.com":"host-source","https://php82.demo-customlinks.com":"host-source","https://www.google.com":"host-source","https://www.googletagmanager.com":"host-source","https://www.gstatic.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'none'; script-src 'nonce-N6vRupwuMbqfp1GpJQUqGw==' 'self' https://ajax.googleapis.com https://cdn.datatables.net https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://code.jquery.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com; style-src 'nonce-N6vRupwuMbqfp1GpJQUqGw==' 'self' https://cdnjs.cloudflare.com https://fonts.googleapis.com; base-uri 'self'; block-all-mixed-content ; connect-src 'self' https://cdnjs.cloudflare.com https://ka-f.fontawesome.com https://www.google.com; font-src 'self' https://cdnjs.cloudflare.com https://fonts.gstatic.com; form-action 'self'; frame-ancestors 'self'; frame-src 'self' https://www.google.com; img-src 'self' data: https://*.demo-customlinks.com https://php82.demo-customlinks.com; upgrade-insecure-requests ;"],"stats":{"totalHigh":0,"totalMedium":9,"totalLow":2,"totalInfo":0},"recommendations":[{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://ajax.googleapis.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdn.datatables.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdn.jsdelivr.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdnjs.cloudflare.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://code.jquery.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.google.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.googletagmanager.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.gstatic.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6932c75b540b3b52a15a1279","ts":"2025-12-05T11:51:55.665Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://onlineapply.sbi.bank.in","isHidden":false,"parsedPolicy":{"policy":"object-src 'self'; frame-src 'self'; child-src 'none'; frame-ancestors 'none'; report-to https://onlineapply.sbi.bank.in/cspreport.php; form-action https://onlineapply.sbi.bank.in https://homeloans.sbi.bank.in https://sso.sbi.co.in/;","directives":{"child-src":["'none'"],"form-action":["https://homeloans.sbi.bank.in","https://onlineapply.sbi.bank.in","https://sso.sbi.co.in/"],"frame-ancestors":["'none'"],"frame-src":["'self'"],"object-src":["'self'"],"report-to":["https://onlineapply.sbi.bank.in/cspreport.php"]},"directiveOrder":["object-src","frame-src","child-src","frame-ancestors","report-to","form-action"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","https://homeloans.sbi.bank.in":"host-source","https://onlineapply.sbi.bank.in":"host-source","https://onlineapply.sbi.bank.in/cspreport.php":"host-source","https://sso.sbi.co.in/":"host-source"}},"disposition":"enforce","source":"header","policies":["object-src 'self'; child-src 'none'; form-action https://homeloans.sbi.bank.in https://onlineapply.sbi.bank.in https://sso.sbi.co.in/; frame-ancestors 'none'; frame-src 'self'; report-to https://onlineapply.sbi.bank.in/cspreport.php;"],"stats":{"totalHigh":1,"totalMedium":1,"totalLow":2,"totalInfo":0},"recommendations":[{"title":"Missing script-src (no default src)","severity":"HIGH","directive":"script","source":"","message":"script-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set script-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6932c32b540b3b52a15a1278","ts":"2025-12-05T11:34:03.464Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://checkout-hom.santanderauto.com.br/not-found","isHidden":false,"parsedPolicy":{"policy":"default-src 'self' https://checkoutshopper-test.adyen.com; script-src 'self' 'nonce-d627f5ead244e1be59fabc4fd12e1e41'; script-src-elem 'self' 'nonce-d627f5ead244e1be59fabc4fd12e1e41'; style-src 'self' 'nonce-d627f5ead244e1be59fabc4fd12e1e41' https://checkoutshopper-test.adyen.com; style-src-elem 'self' 'nonce-d627f5ead244e1be59fabc4fd12e1e41' 'unsafe-hashes'        'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='        'sha256-JGr8k5vHR43w0qQlv9UY0VyrKoH2xpBisy5EY6jRfbg='        'sha256-Dg7XyIWYliUMqwwMfsTii8ZFqnc2vFE+aacm8yrECS8='        'sha256-h8i7t47nSGIeOpqmFlY1u4c2gx655NAcDZD1us8xcXQ='        'sha256-yV6HQBuM7ARY2j6I/vQv0bzw++8WxmXZLXWaFyKyPWo='        https://checkoutshopper-test.adyen.com; font-src 'self' https://checkoutshopper-test.adyen.com; img-src 'self' https://checkoutshopper-test.adyen.com https://checkoutshopper-test.cdn.adyen.com; connect-src 'self' https://api-sandbox.hdi.com.br https://api-sandbox.santanderauto.com.br; object-src 'none'; base-uri 'self'; frame-ancestors 'self' https://checkoutshopper-test.adyen.com; form-action 'self' https://checkoutshopper-test.adyen.com; upgrade-insecure-requests;","directives":{"base-uri":["'self'"],"connect-src":["'self'","https://api-sandbox.hdi.com.br","https://api-sandbox.santanderauto.com.br"],"default-src":["'self'","https://checkoutshopper-test.adyen.com"],"font-src":["'self'","https://checkoutshopper-test.adyen.com"],"form-action":["'self'","https://checkoutshopper-test.adyen.com"],"frame-ancestors":["'self'","https://checkoutshopper-test.adyen.com"],"img-src":["'self'","https://checkoutshopper-test.adyen.com","https://checkoutshopper-test.cdn.adyen.com"],"object-src":["'none'"],"script-src":["'nonce-d627f5ead244e1be59fabc4fd12e1e41'","'self'"],"script-src-elem":["'nonce-d627f5ead244e1be59fabc4fd12e1e41'","'self'"],"style-src":["'nonce-d627f5ead244e1be59fabc4fd12e1e41'","'self'","https://checkoutshopper-test.adyen.com"],"style-src-elem":["'nonce-d627f5ead244e1be59fabc4fd12e1e41'","'self'","'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='","'sha256-Dg7XyIWYliUMqwwMfsTii8ZFqnc2vFE+aacm8yrECS8='","'sha256-JGr8k5vHR43w0qQlv9UY0VyrKoH2xpBisy5EY6jRfbg='","'sha256-h8i7t47nSGIeOpqmFlY1u4c2gx655NAcDZD1us8xcXQ='","'sha256-yV6HQBuM7ARY2j6I/vQv0bzw++8WxmXZLXWaFyKyPWo='","'unsafe-hashes'","https://checkoutshopper-test.adyen.com"],"upgrade-insecure-requests":[]},"directiveOrder":["default-src","script-src","script-src-elem","style-src","style-src-elem","font-src","img-src","connect-src","object-src","base-uri","frame-ancestors","form-action","upgrade-insecure-requests"],"disposition":"enforce","delivery":"header","sourceMapping":{"'nonce-d627f5ead244e1be59fabc4fd12e1e41'":"nonce-source","'none'":"keyword-source","'self'":"keyword-source","'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='":"hash-source","'sha256-Dg7XyIWYliUMqwwMfsTii8ZFqnc2vFE+aacm8yrECS8='":"hash-source","'sha256-JGr8k5vHR43w0qQlv9UY0VyrKoH2xpBisy5EY6jRfbg='":"hash-source","'sha256-h8i7t47nSGIeOpqmFlY1u4c2gx655NAcDZD1us8xcXQ='":"hash-source","'sha256-yV6HQBuM7ARY2j6I/vQv0bzw++8WxmXZLXWaFyKyPWo='":"hash-source","'unsafe-hashes'":"keyword-source","https://api-sandbox.hdi.com.br":"host-source","https://api-sandbox.santanderauto.com.br":"host-source","https://checkoutshopper-test.adyen.com":"host-source","https://checkoutshopper-test.cdn.adyen.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self' https://checkoutshopper-test.adyen.com; script-src 'nonce-d627f5ead244e1be59fabc4fd12e1e41' 'self'; script-src-elem 'nonce-d627f5ead244e1be59fabc4fd12e1e41' 'self'; style-src 'nonce-d627f5ead244e1be59fabc4fd12e1e41' 'self' https://checkoutshopper-test.adyen.com; style-src-elem 'nonce-d627f5ead244e1be59fabc4fd12e1e41' 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-Dg7XyIWYliUMqwwMfsTii8ZFqnc2vFE+aacm8yrECS8=' 'sha256-JGr8k5vHR43w0qQlv9UY0VyrKoH2xpBisy5EY6jRfbg=' 'sha256-h8i7t47nSGIeOpqmFlY1u4c2gx655NAcDZD1us8xcXQ=' 'sha256-yV6HQBuM7ARY2j6I/vQv0bzw++8WxmXZLXWaFyKyPWo=' 'unsafe-hashes' https://checkoutshopper-test.adyen.com; object-src 'none'; base-uri 'self'; connect-src 'self' https://api-sandbox.hdi.com.br https://api-sandbox.santanderauto.com.br; font-src 'self' https://checkoutshopper-test.adyen.com; form-action 'self' https://checkoutshopper-test.adyen.com; frame-ancestors 'self' https://checkoutshopper-test.adyen.com; img-src 'self' https://checkoutshopper-test.adyen.com https://checkoutshopper-test.cdn.adyen.com; upgrade-insecure-requests ;"],"stats":{"totalHigh":0,"totalMedium":1,"totalLow":2,"totalInfo":0},"recommendations":[{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6932c13a03e177f52dcf11bf","ts":"2025-12-05T11:25:46.396Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://alumni.kpmg.gr/","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'self' 'nonce-E6fyYdnqlaE6oFOnlfJs3A==' https://cdn.cookielaw.org https://www.googletagmanager.com https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/; style-src 'self' 'nonce-E6fyYdnqlaE6oFOnlfJs3A==' https://alumni.kpmg.gr https://fonts.googleapis.com https://cdn.cookielaw.org https://cookie-cdn.cookiepro.com https://privacyportal.onetrust.com https://geolocation.onetrust.com; img-src 'self' data: https://cdn.cookielaw.org https://www.gstatic.com https://www.google.com/recaptcha/ https://alumni.kpmg.gr https://assets.kpmg.com https://www.google-analytics.com; connect-src 'self' https://alumni.kpmg.gr https://kpmgi-privacy.my.onetrust.com https://cdn.cookielaw.org https://cookie-cdn.cookiepro.com https://privacyportal.onetrust.com https://geolocation.onetrust.com https://www.gstatic.com https://www.google-analytics.com https://region1.google-analytics.com; font-src 'self' https://fonts.gstatic.com; frame-src 'self' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; object-src 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; frame-ancestors 'self'; manifest-src 'self'; report-uri /csp-report-endpoint;","directives":{"base-uri":["'self'"],"block-all-mixed-content":[],"connect-src":["'self'","https://alumni.kpmg.gr","https://cdn.cookielaw.org","https://cookie-cdn.cookiepro.com","https://geolocation.onetrust.com","https://kpmgi-privacy.my.onetrust.com","https://privacyportal.onetrust.com","https://region1.google-analytics.com","https://www.google-analytics.com","https://www.gstatic.com"],"default-src":["'self'"],"font-src":["'self'","https://fonts.gstatic.com"],"form-action":["'self'"],"frame-ancestors":["'self'"],"frame-src":["'self'","https://www.google.com/recaptcha/","https://www.gstatic.com/recaptcha/"],"img-src":["'self'","data:","https://alumni.kpmg.gr","https://assets.kpmg.com","https://cdn.cookielaw.org","https://www.google-analytics.com","https://www.google.com/recaptcha/","https://www.gstatic.com"],"manifest-src":["'self'"],"object-src":["'none'"],"report-uri":["/csp-report-endpoint"],"script-src":["'nonce-E6fyYdnqlaE6oFOnlfJs3A=='","'self'","https://cdn.cookielaw.org","https://www.google.com/recaptcha/","https://www.googletagmanager.com","https://www.gstatic.com/recaptcha/"],"style-src":["'nonce-E6fyYdnqlaE6oFOnlfJs3A=='","'self'","https://alumni.kpmg.gr","https://cdn.cookielaw.org","https://cookie-cdn.cookiepro.com","https://fonts.googleapis.com","https://geolocation.onetrust.com","https://privacyportal.onetrust.com"],"upgrade-insecure-requests":[]},"directiveOrder":["default-src","script-src","style-src","img-src","connect-src","font-src","frame-src","object-src","base-uri","form-action","upgrade-insecure-requests","block-all-mixed-content","frame-ancestors","manifest-src","report-uri"],"disposition":"enforce","delivery":"header","sourceMapping":{"'nonce-E6fyYdnqlaE6oFOnlfJs3A=='":"nonce-source","'none'":"keyword-source","'self'":"keyword-source","/csp-report-endpoint":"","data:":"scheme-source","https://alumni.kpmg.gr":"host-source","https://assets.kpmg.com":"host-source","https://cdn.cookielaw.org":"host-source","https://cookie-cdn.cookiepro.com":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://geolocation.onetrust.com":"host-source","https://kpmgi-privacy.my.onetrust.com":"host-source","https://privacyportal.onetrust.com":"host-source","https://region1.google-analytics.com":"host-source","https://www.google-analytics.com":"host-source","https://www.google.com/recaptcha/":"host-source","https://www.googletagmanager.com":"host-source","https://www.gstatic.com":"host-source","https://www.gstatic.com/recaptcha/":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'nonce-E6fyYdnqlaE6oFOnlfJs3A==' 'self' https://cdn.cookielaw.org https://www.google.com/recaptcha/ https://www.googletagmanager.com https://www.gstatic.com/recaptcha/; style-src 'nonce-E6fyYdnqlaE6oFOnlfJs3A==' 'self' https://alumni.kpmg.gr https://cdn.cookielaw.org https://cookie-cdn.cookiepro.com https://fonts.googleapis.com https://geolocation.onetrust.com https://privacyportal.onetrust.com; object-src 'none'; base-uri 'self'; block-all-mixed-content ; connect-src 'self' https://alumni.kpmg.gr https://cdn.cookielaw.org https://cookie-cdn.cookiepro.com https://geolocation.onetrust.com https://kpmgi-privacy.my.onetrust.com https://privacyportal.onetrust.com https://region1.google-analytics.com https://www.google-analytics.com https://www.gstatic.com; font-src 'self' https://fonts.gstatic.com; form-action 'self'; frame-ancestors 'self'; frame-src 'self' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; img-src 'self' data: https://alumni.kpmg.gr https://assets.kpmg.com https://cdn.cookielaw.org https://www.google-analytics.com https://www.google.com/recaptcha/ https://www.gstatic.com; manifest-src 'self'; report-uri /csp-report-endpoint; upgrade-insecure-requests ;"],"stats":{"totalHigh":0,"totalMedium":2,"totalLow":2,"totalInfo":0},"recommendations":[{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdn.cookielaw.org","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.googletagmanager.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6932be65540b3b52a15a1271","ts":"2025-12-05T11:13:41.306Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://csp-evaluator.withgoogle.com/","isHidden":false,"parsedPolicy":{"policy":"object-src 'none'; script-src 'sha256-vbqjgmO/1eNbI0KDULUkt+jCEUo/oA6kabtWCGf0HDc=' 'strict-dynamic' 'unsafe-inline' https: http:; base-uri 'none'; connect-src 'self' https://ssl.google-analytics.com; child-src 'none';","directives":{"base-uri":["'none'"],"child-src":["'none'"],"connect-src":["'self'","https://ssl.google-analytics.com"],"object-src":["'none'"],"script-src":["'sha256-vbqjgmO/1eNbI0KDULUkt+jCEUo/oA6kabtWCGf0HDc='","'strict-dynamic'","'unsafe-inline'","http:","https:"]},"directiveOrder":["object-src","script-src","base-uri","connect-src","child-src"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'sha256-vbqjgmO/1eNbI0KDULUkt+jCEUo/oA6kabtWCGf0HDc='":"hash-source","'strict-dynamic'":"keyword-source","'unsafe-inline'":"keyword-source","http:":"scheme-source","https:":"scheme-source","https://ssl.google-analytics.com":"host-source"}},"disposition":"enforce","source":"header","policies":["script-src 'sha256-vbqjgmO/1eNbI0KDULUkt+jCEUo/oA6kabtWCGf0HDc=' 'strict-dynamic' 'unsafe-inline' http: https:; object-src 'none'; base-uri 'none'; child-src 'none'; connect-src 'self' https://ssl.google-analytics.com;"],"stats":{"totalHigh":2,"totalMedium":2,"totalLow":3,"totalInfo":1},"recommendations":[{"title":"Usage of permissive scheme-source in sensitive directive","severity":"HIGH","directive":"script-src","source":"http:","message":"Using an unsafe scheme/source in a sensitive directive bypasses the primary benefit of CSP.","recommendation":"Remove the unsafe source/scheme","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of permissive scheme-source in sensitive directive","severity":"HIGH","directive":"script-src","source":"https:","message":"Using an unsafe scheme/source in a sensitive directive bypasses the primary benefit of CSP.","recommendation":"Remove the unsafe source/scheme","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Non-encrypted loading of external assets (http: / ws:)","severity":"MEDIUM","directive":"script-src","source":"http:","message":"Allowing content over insecure channels can allow allow snooping and tampering of data","recommendation":"Ensure that all content is loaded over secure channels. Remove http: and ws:","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"unsafe-inline is ignored when using nonces or hashes as a source","severity":"INFO","directive":"script-src","source":"unsafe-inline","message":"The usage of nonces and hashes means the policy ignores unsafe-inline. This can impact usability if you haven't whitelisted all inline script","recommendation":"","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6932b903540b3b52a15a1270","ts":"2025-12-05T10:50:43.284Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://maps.dnv.com/portal/home/","isHidden":false,"parsedPolicy":{"policy":"frame-ancestors 'self';","directives":{"frame-ancestors":["'self'"]},"directiveOrder":["frame-ancestors"],"disposition":"enforce","delivery":"header","sourceMapping":{"'self'":"keyword-source"}},"disposition":"enforce","source":"header","policies":["frame-ancestors 'self';"],"stats":{"totalHigh":2,"totalMedium":2,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing script-src (no default src)","severity":"HIGH","directive":"script","source":"","message":"script-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set script-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]}]