

Facebook using Content Security Policy headers for Webkit. - jdavid

It looks like Facebook is using the experimental CSP headers today.  I am kinda amused by some of the whitelisted domains and apps.<p>I have provided here for your amusement.<p><pre><code>    x-webkit-csp:default-src *;
     script-src https://*.facebook.com 
                http://*.facebook.com 
                https://*.fbcdn.net 
                http://*.fbcdn.net 
                *.facebook.net 
                *.google-analytics.com 
                *.virtualearth.net 
                *.google.com 
                127.0.0.1:* 
                *.spotilocal.com:* 
                chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl 
                'unsafe-inline' 
                'unsafe-eval' 
                https://*.akamaihd.net 
                http://*.akamaihd.net;
      style-src * 'unsafe-inline';
      connect-src https://*.facebook.com 
                http://*.facebook.com 
                https://*.fbcdn.net 
                http://*.fbcdn.net 
                *.facebook.net 
                *.spotilocal.com:* 
                https://*.akamaihd.net 
                ws://*.facebook.com:* 
                http://*.akamaihd.net;</code></pre>
======
jdavid
For the less informed CSPs are a new web tool to help websites defend against
cross site scripting.

Here is a definition of the spec, although this is only implemented for
chrome, and safari. [http://people.mozilla.org/~bsterne/content-security-
policy/d...](http://people.mozilla.org/~bsterne/content-security-
policy/details.html)

------
jdavid
I also find it interesting that they define allowed websockets, but don't
define which iFrames are allowed.

