Test |
Pass
|
Blocks execution of inline JavaScript by not allowing 'unsafe-inline' inside script-src |
Yes
|
Blocks execution of JavaScript's eval() function by not allowing 'unsafe-eval' inside script-src |
Yes
|
Blocks execution of plug-ins, using object-src restrictions |
Yes
|
Blocks inline styles by not allowing 'unsafe-inline' inside style-src |
Yes
|
Blocks loading of active content over HTTP or FTP |
Yes
|
Blocks loading of passive content over HTTP or FTP |
Yes
|
Clickjacking protection, using frame-ancestors |
Yes
|
Deny by default, using default-src 'none' |
Yes
|
Restricts use of the <base> tag by using base-uri 'none', base-uri 'self', or specific origins |
Yes
|
Restricts where <form> contents may be submitted by using form-action 'none', form-action 'self', or specific URIs |
Yes
|