L.S.
And why CSP has not been correctly installed all over the cloud at Cloudflare's,
now that form-jacking gains more and more momentum?
Re:
https://observatory.mozilla.org/analyze/cdnjs.cloudflare.com A minimal D-status is a shame really.
Content Security Policy (CSP) implemented unsafely.
This includes 'unsafe-inline' or data: inside script-src, overly broad sources such as
"https: inside object-src or script-src, or not restricting the sources for object-src or script-src".
And here Cloudflare cannot do better as comin' up with a meagre C grade,
See:
https://tls.imirhil.fr/https/cdnjs.cloudflare.comThey won't go that extrt security mile for their end-users, just implementing,
what they can get away with I presume?
This will mean, that we won't see that last webshop being hacked by form-hacking attackers there soon,
that's for sure. A shame really, isn't it?
polonus (volunteer 3rd party cold reconnaissance website security analyst ans error-hunter)