5 years ago
Stuart Larsen #article
Below is the analysis on the top alexa top 10,000 websites for their usage of content-security-policy report-uri.
We started this scanning because we were curious about the following questions:
For the Alexa top 10,000 domains, we tried https, and fellback to http if there was an error. We checked for both http headers and meta tag delivery. We followed any redirects to the final website. Both header/meta tags were allowed, and we unrolled multiple policies. (More info on using multiple policies). Most websites only use one policy, so when we say "30 websites did abc, we really mean 30 policies did abc"
1,221 (12%) of websites in the top 10,000 use content-security policy.
Of the 1,221 websites of the top 10,000, 299 of them use a report-uri. (This value actually jumped up from 298 during the hour I was putting together this data).
Only 38 of the websites use an external thirdparty report-uri collector. Most websites either didn't use report-uri or hosted the endpoint themselves (it's possible they're using an on-prem vendor, such as https://github.com/c0nrad/caspr), but it's hard to tell either way.
None of them. They all either use zero or one report-uri.
None of them. 99 websites use Content-Security-Policy delivered with meta tags. Most of it is for mixed-content.
That's it! If you have any more questions to ask of the data, please let me know! Happy to crunch it out. stuart@csper.io.
Stay up to date with the latest Content Security Policy news, product updates, discounts, and more!