CSP EvaluatorGoogle has come up with a great tool to check on CSP -
Google uses the CSP evaluator for assets including its Cloud Console, Photos, History, and Maps Timeline among others,
and will expand the list.
It resides here:
https://csp-evaluator.withgoogle.com/So I could not refrain from trying it out, as polonus is into volunteer website security on an almost daily basis.
Enjoy, my friends, enjoy!
Checking on this site:
http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fwww.axiscorner.com%2F&useragent=Fetch+useragent&accept_encoding= e.g. -https://plus.google.com/u/1/b/108271385407869247047/+Axiscorner-Architecture-Rendering-Service/aboutâ rel=âpublisher
We get two high severity findings: clearcheck
Directive "check" is not a known CSP directive.
expand_more
errorscript-src [missing]
script-src directive is missing.
expand_more
errorobject-src [missing]
Missing object-src allows the injection of plugins which can execute JavaScript. Can you set it to 'none'?
expand_more
Legend
X errorHigh severity finding
errorMedium severity finding
help_outlinePossible high severity finding
removeDirective/value is ignored in this version of CSP
help_outlinePossible medium severity finding
clearSyntax error
info_outlineInformation
checkAll good
Blocked by Netcraft as an XSS attack: Blocked URL: -http://www.domxssscanner.com/scan?url=https%3A%2F%2Fplus.google.com%2Fu%2F1%2Fb%2F108271385407869247047%2F%2BAxiscorner-Architecture-Rendering-Service%2Fabout%22%3EAxis+Corner+Reviews%3C%2Fa%3E+Here%21%3Cscript+type%3D%22application%2Fld%2Bjson%22%3E+%7B++%22%40context%22%3A+%22http%3A%2F%2Fschema.org%2F%22%2C++%22%40type%22%3A+%22Br
Google also released the CSP Mitigator to help administrators apply custom CSP policy to applications and to better understand the impact of enabling CSP including highlighting parts that may break. ->
https://chrome.google.com/webstore/detail/csp-mitigator/gijlobangojajlbodabkpjpheeeokhfaI certainly hope security researchers will benefit from this addition to their toolchest,
polonus (volunteer website security analyst and website error-hunter)