CSP: * and http:// should be red.

[Darkspirit]

https://www.hardenize.com/report/thesslstore.com/1518813280#www_csp

default-src data: 'unsafe-inline' 'unsafe-eval' *

Could you please mark the whole CSP result always red, if there is a * or http://?

Rationale: Insecure cookies are also red.

[jrchamp]

Blanket https: seems a little risky, see https://csp-evaluator.withgoogle.com/ Being specific and using nonces seems to be the way to go: https://csp.withgoogle.com/docs/strict-csp.html

[ivanr]

Our CSP analysis is very shallow at the moment. To set your expectations, because a complete rewrite is necessary, it's not something we will undertake for at least two months for now.