See:
https://webcookies.org/cookies/www.onesearch.com/28899335?930381persistent tracking going on there.
P3P is a mostly abandoned standard for website privacy policy declaration that has little use today.
Please consider switching to DoNotTrack standard.
On CSP miconfiguration:
Content Security Policy
frame-ancestors 'none'; default-src 'self' -https://*.onesearch.com; script-src 'self' 'unsafe-inline' 'nonce-DUH8wO761xGKs9Odg+OtUg==' 'unsafe-eval'-https://*.onesearch.com; style-src 'self' 'unsafe-inline' -https://*.onesearch.com; img-src 'self' data: -https://*.onesearch.com; frame-src 'self'; media-src *; object-src *; connect-src -https://*.onesearch.com; font-src * data:; report-uri -https://www.onesearch.com/notracking/beacon/csp?src=privatesearch;
Policy delivery method: Content-Security-Policy
Enforcement: True
No base-uri allows attackers to inject base tags which override the base URI to an attacker-controlled origin. Set to 'none' unless you need to handle tricky relative URLs scheme
Consider adding block-all-mixed-content directive if your website is only accessible over TLS and you are certain it doesn not have any legacy plaintext resources. Otherwise you may add adding upgrade-insecure-requests directive if your website may still have some legacy plaintext HTTP resources and you want them to be still available rather than blocked
You should definitely try using 'strict-dynamic' to eliminate those long lists of trusted third-party scripts
Consider using script-src 'report-sample' as it significantly helps debugging CSP reports. See specification
Origin script-src 'unsafe-inline' allows bypassing of CSP and execution of inlined untrusted scripts. Use 'nonce-' or 'sha256-' instead
Origin script-src 'unsafe-eval' allows bypassing of CSP and execution of inlined untrusted scripts. Use 'nonce-' or 'sha256-' instead
Origin style-src 'unsafe-inline' allows bypassing of CSP and execution of inlined untrusted scripts. Use 'nonce-' or 'sha256-' instead
The img-src data: origin allows bypassing CSP and execution of inlined untrusted scripts
The font-src data: origin allows bypassing CSP and execution of inlined untrusted scripts
Content Security Policy (CSP) implemented unsafely.
This includes 'unsafe-inline' or data: inside script-src, overly broad sources such as https: inside object-src or script-src, or not restricting the sources for object-src or script-src.
Also consider these B+ standard scan results:
https://observatory.mozilla.org/analyze/www.onesearch.comTracking connection security: This website is secured
100% of the trackers on this site are helping protect you from NSA snooping. Why not thank onesearch dot com for being secure?
All trackers
At least 2 third parties know you are on this webpage.
-cdn.onesearch.com
-www.onesearch.com -www.onesearch.com
Tracker is tracking with some safety measures.
Tracker does not support secure transmission.
HTML validation check report:
https://validator.w3.org/nu/?doc=https%3A%2F%2Fwww.onesearch.com%2F- <!-- fe110.yhs.search.bf1.yahoo dot com Sat Jan 25 17:41:44 UTC 2020 -->
<panel class="drweb_select-panel" style="display: none;">
<div class="drweb_tool-panel">
<div class="drweb_tool-icon drweb_tool-icon_show" data-co="restore-btn" title="restore"></div>
<div class="drweb_tool-icon drweb_tool-icon_remove" data-co="remove-btn" title="remove"></div>
<div class="drweb_fit-btn" data-co="fit-btn" title=""></div>
</div>
<span data-co="label">Select the elements you want to hide on this page.</span>
<div class="drweb_btn" data-co="save">Save</div>
<div class="drweb_btn" data-co="cancel">Cancel</div>
<div class="drweb_panel-plug" data-co="plug" style="display: none"></div>
</panel>
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)