Content-Security-Policy Analysis for https://thredup.com

Open Cached · just now

17 directives

Content-Security-Policy

No enforced CSP headers found.

Content-Security-Policy-Report-Only

Content-Security-Policy-Report-Only: child-src blob:;connect-src 'self' https: wss://chat.stream-io-api.com;form-action 'self' https://www.facebook.com;frame-src 'self' https://apps.rokt.com https://assets.braintreegateway.com https://bat.bing.com https://cdn.pbbl.co https://checkout.paypal.com https://ct.pinterest.com https://events.release.narrativ.com https://help.thredup.com https://td.doubleclick.net https://tsdtocl.com https://us.creativecdn.com https://www.facebook.com https://www.googletagmanager.com https://www.paypal.com https://www.sandbox.paypal.com https://www.youtube.com;img-src * data:;media-src *;report-uri https://browser-intake-datadoghq.com/api/v2/logs?dd-api-key=pub82ca6a389d92e607333343497060795c&dd-evp-origin=content-security-policy&ddsource=csp-report&ddtags=service%3Ashop-app%2Cenv%3Aproduction;script-src 'self' 'unsafe-eval' https: 'strict-dynamic' 'nonce-66e8de94-874d-4625-973a-a69ba21499b9';worker-src blob: 'self';default-src 'self';base-uri 'self';font-src 'self' https: data:;frame-ancestors 'self';object-src 'none';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests

child-src Scheme —

blob:

connect-src Keyword —

'self'

connect-src Scheme —

https:

connect-src Host —

wss://chat.stream-io-api.com

form-action Keyword —

'self'

form-action Host

Facebook

https://www.facebook.com

frame-src Keyword —

'self'

frame-src Host —

https://apps.rokt.com

frame-src Host

Braintree

https://assets.braintreegateway.com

ASN | Cloudflare

frame-src Host

Microsoft Advertising

https://bat.bing.com

ASN | Microsoft

frame-src Host —

https://cdn.pbbl.co

frame-src Host

PayPal

https://checkout.paypal.com

ASN | Cloudflare

frame-src Host

Pinterest

https://ct.pinterest.com

frame-src Host —

https://events.release.narrativ.com

frame-src Host —

https://help.thredup.com

ASN | Cloudflare

frame-src Host

Google DoubleClick

https://td.doubleclick.net

frame-src Host —

https://tsdtocl.com

frame-src Host —

https://us.creativecdn.com

ASN | RTB-HOUSE-ASH RTB Marketing and Tech Services Ltd

frame-src Host

Facebook

https://www.facebook.com

frame-src Host

Google Tag Manager

https://www.googletagmanager.com

frame-src Host

PayPal

https://www.paypal.com

frame-src Host

PayPal

https://www.sandbox.paypal.com

frame-src Host

YouTube

https://www.youtube.com

img-src Host —

*

img-src Scheme —

data:

media-src Host —

*

report-uri Host

Datadog

https://browser-intake-datadoghq.com/api/v2/logs?dd-api-key=pub82ca6a389d92e607333343497060795c&dd-evp-origin=content-security-policy&ddsource=csp-report&ddtags=service%3Ashop-app%2Cenv%3Aproduction

script-src Keyword —

'self'

script-src Keyword —

'unsafe-eval'

script-src Scheme —

https:

script-src Keyword —

'strict-dynamic'

script-src Nonce —

'nonce-66e8de94-874d-4625-973a-a69ba21499b9'

worker-src Scheme —

blob:

worker-src Keyword —

'self'

default-src Keyword —

'self'

base-uri Keyword —

'self'

font-src Keyword —

'self'

font-src Scheme —

https:

font-src Scheme —

data:

frame-ancestors Keyword —

'self'

object-src Keyword —

'none'

script-src-attr Keyword —

'none'

style-src Keyword —

'self'

style-src Scheme —

https:

style-src Keyword —

'unsafe-inline'

upgrade-insecure-requests Source —

(no sources)