All I see is `Content-Security-Policy-Report-Only`, which doesn't actually do anything security-wise. Their site uses the default CSP settings.

I'm not expert in this stuff. Is there a reason all of these domains are specified here?

[edit, formatting]

Content-Security-Policy-Report-Only: default-src blob: 'self'; script-src 'unsafe-eval' 'unsafe-inline' blob: https://*.50million.club https://*.adroll.com https://*.cloudfront.net https://*.google.com https://*.hotjar.com https://*.zoom.us https://*.zoomus.cn https://*.zopim.com https://ad.lkqd.net https://ajax.aspnetcdn.com https://apiurl.org https://appsforoffice.microsoft.com https://assets.zendesk.com https://bat.bing.com https://cdn.5bong.com https://cdn.jsdelivr.net https://cdncache-a.akamaihd.net https://code.jquery.com https://connect.facebook.net https://consent.trustarc.com https://extnetcool.com https://fp166.digitaloptout.com https://googleads.g.doubleclick.net https://intljs.rmtag.com https://pi.pardot.com https://px.ads.linkedin.com https://ruanshi2.8686c.com https://rum-static.pingdom.net https://s.dcbap.com https://s.yimg.com https://s.ytimg.com https://s3.amazonaws.com https://scout-cdn.salesloft.com https://sealserver.trustwave.com https://secure-cdn.mplxtms.com https://secure.myshopcouponmac.com https://snap.licdn.com https://sp.analytics.yahoo.com https://srvvtrk.com https://static.zdassets.com https://static2.sharepointonline.com https://tag.demandbase.com https://tpc.googlesyndication.com https://tracking.g2crowd.com https://translate.googleapis.com https://trk.techtarget.com https://unpkg.com https://www.comeet.co https://www.dropbox.com https://www.google-analytics.com https://www.googleadservices.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com https://d.adroll.mgr.consensu.org https://serve2.cheqzone.com https://*.ada.support 'self'; img-src https: blob: data: 'self'; style-src https: 'unsafe-inline' 'self'; font-src https: data: 'self'; connect-src * data: 'self'; media-src * blob: 'self'; frame-src https: ms-appx-web: zoommtg: zoomus: 'self'

These are a blanket permissions for third party ad and affiliate (user tracking) scripts, so much for "targeted at organizations with IT departments" and "we do not sell you data"

This list makes me scratch my head... when, ever, would ".google.com" be filtered the same way as ".50million.club" or even "googleads.g.doubleclicj.net"?

I understand the header causes logged reports, no actual policy enforcement, but still... I don't have a good read on their underlying concern here.

If I understood it correctly it tells the browser iranok to run scripts from all these origins. No idea why there are so many malware associated domains here. Maybe zoom’s ceo could enlighten us. Probably because of the virus and unexpected growth I’m sure.

The domains are likely in the whitelist as their report-uri was getting spammed with reports from users that have adware/malware extensions in their browser.

These extensions inject their own scripts into the page which will then fail based on the CSP and send a report to the server. In an ideal world you would just 'ignore' these reports server-side instead of whitelisting the domains.