What is the maximally permissive Content-Security-Policy?

Question

I have a large, legacy codebase that I\'d like to introduce the Content-Security-Policy header on. It is not feasible in the short term to truly lock-down the s

Answer 1

Try

default-src *  data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval' 'unsafe-dynamic'; 
script-src * 'unsafe-inline' 'unsafe-eval'; 
connect-src * 'unsafe-inline'; 
img-src * data: blob: 'unsafe-inline'; 
frame-src *; 
style-src * data: blob: 'unsafe-inline';
font-src * data: blob: 'unsafe-inline';

Even with this, you might still find violations, if you find them, report it to me!