Facebook using Content Security Policy headers for Webkit.

[jdavid]

It looks like Facebook is using the experimental CSP headers today. I am kinda amused by some of the whitelisted domains and apps.

I have provided here for your amusement.

    x-webkit-csp:default-src *;
     script-src https://*.facebook.com 
                http://*.facebook.com 
                https://*.fbcdn.net 
                http://*.fbcdn.net 
                *.facebook.net 
                *.google-analytics.com 
                *.virtualearth.net 
                *.google.com 
                127.0.0.1:* 
                *.spotilocal.com:* 
                chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl 
                'unsafe-inline' 
                'unsafe-eval' 
                https://*.akamaihd.net 
                http://*.akamaihd.net;
      style-src * 'unsafe-inline';
      connect-src https://*.facebook.com 
                http://*.facebook.com 
                https://*.fbcdn.net 
                http://*.fbcdn.net 
                *.facebook.net 
                *.spotilocal.com:* 
                https://*.akamaihd.net 
                ws://*.facebook.com:* 
                http://*.akamaihd.net;

[jdavid]

For the less informed CSPs are a new web tool to help websites defend against cross site scripting.

Here is a definition of the spec, although this is only implemented for chrome, and safari. http://people.mozilla.org/~bsterne/content-security-policy/d...

[jdavid]

I also find it interesting that they define allowed websockets, but don't define which iFrames are allowed.