neocities csp examples

content-security-policy: upgrade-insecure-requests; default-src * 'unsafe-inline' 'unsafe-eval' data: blob:; connect-src 'self' data: blob:; form-action 'self'; img-src * data:; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline'; font-src * data:; object-src *; media-src *; frame-src *;

blocked content

[blocked] widgets that you embed via a script tag that send requests (connect-src)

cusdis does not show at all due to its usage of fetch():

same for goatconter's javascript widget. see the console.

[blocked] some widgets that you embed via a script tag that use a form (form-action)

via htmlcommentbox. while it shows, commenting is broken due to its usage of form

Widget is loading comments...

not blocked

hotlinking images (img-src)

dabric

widgets that you embed via a script tag that don't send requests (script-src)

google fonts (style-src, font-src)

Hello, world

youtube iframe embed (frame-src)