Allow All Content Security Policy?

Question

Is it possible to configure the Content-Security-Policy to not block anything at all? I\'m running a computer security class, and our web hacking project is running into iss

Answer 1

It's not secure at all, but as staring point the real allow all policy is:

default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';

See: https://content-security-policy.com/ and this CSP migration guide.