CSP Rating rates 100 although the header is wrong

[Lednerb]

Header: Content-Security-Policy: #default-src 'self'; font-src 'self'

The # sign is illegal,

Browser says: Content Security Policy: Unbekannte Direktive '#default-src' kann nicht verarbeitet werden

Rating rates:100

FIX: Only allow a whitelist of directives and values such as self or none or URLs, without wildcards.

[Skeeve]

Maybe parse CSP according to the/some standard?

https://www.w3.org/TR/CSP/#serialized-csp

[Lednerb]

Working on it.

[Lednerb]

Done by https://github.com/SIWECOS/HSHS-DOMXSS-Scanner/commit/11553d4c23722b6625b6e71dbd73559a4fa90eb4