Facebook using Content Security Policy headers for Webkit.

4 points by jdavid ↗ HN
It looks like Facebook is using the experimental CSP headers today. I am kinda amused by some of the whitelisted domains and apps.

I have provided here for your amusement.

    x-webkit-csp:default-src *;
     script-src https://*.facebook.com 
                http://*.facebook.com 
                https://*.fbcdn.net 
                http://*.fbcdn.net 
                *.facebook.net 
                *.google-analytics.com 
                *.virtualearth.net 
                *.google.com 
                127.0.0.1:* 
                *.spotilocal.com:* 
                chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl 
                'unsafe-inline' 
                'unsafe-eval' 
                https://*.akamaihd.net 
                http://*.akamaihd.net;
      style-src * 'unsafe-inline';
      connect-src https://*.facebook.com 
                http://*.facebook.com 
                https://*.fbcdn.net 
                http://*.fbcdn.net 
                *.facebook.net 
                *.spotilocal.com:* 
                https://*.akamaihd.net 
                ws://*.facebook.com:* 
                http://*.akamaihd.net;

2 comments

[ 3.0 ms ] story [ 17.4 ms ] thread
I also find it interesting that they define allowed websockets, but don't define which iFrames are allowed.