Advertisement
ScottHelme

Dropbox issuing CSP header based on browser.

Feb 1st, 2016
637
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. scott@securityheaders:~/Per$ curl -A "Mozilla/5.0 (Windows NT 6.1; rv:27.3) Gecko/20130101 Firefox/27.3" -I https://www.dropbox.com/
  2. HTTP/1.1 200 OK
  3. Server: nginx
  4. Date: Mon, 01 Feb 2016 18:09:04 GMT
  5. Content-Type: text/html; charset=utf-8
  6. Connection: keep-alive
  7. x-xss-protection: 1; mode=block
  8. x-content-type-options: nosniff
  9. set-cookie: locale=en; Domain=dropbox.com; expires=Sat, 30 Jan 2021 18:09:04 GMT; Path=/; secure
  10. set-cookie: gvc=MjE1MDg1NzA3OTg0MjM5NDYyMzAwNDI4Mjk3NTA4MTgwMDA0OTI0; expires=Sat, 30 Jan 2021 18:09:04 GMT; httponly; Path=/; secure
  11. set-cookie: __Host-js_csrf=HEIhi59qjkb4huRRVkcVj2fN; expires=Thu, 31 Jan 2019 18:09:04 GMT; Path=/; secure
  12. set-cookie: t=HEIhi59qjkb4huRRVkcVj2fN; Domain=dropbox.com; expires=Thu, 31 Jan 2019 18:09:04 GMT; httponly; Path=/; secure
  13. set-cookie: puc=; expires=Mon, 01 Feb 2016 18:09:04 GMT; httponly; Path=/; secure
  14. x-dropbox-request-id: 11ec0d4ec7b22f10ce256aec1fde7c7b
  15. pragma: no-cache
  16. cache-control: no-cache
  17. x-dropbox-http-protocol: None
  18. x-frame-options: SAMEORIGIN
  19. X-Server-Response-Time: 233
  20. Strict-Transport-Security: max-age=15552000; includeSubDomains
  21.  
  22. scott@securityheaders:~/Per$ curl -A "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" -I https://www.dropbox.com/
  23. HTTP/1.1 200 OK
  24. Server: nginx
  25. Date: Mon, 01 Feb 2016 18:09:13 GMT
  26. Content-Type: text/html; charset=utf-8
  27. Connection: keep-alive
  28. x-xss-protection: 1; mode=block
  29. content-security-policy: img-src https://* data: blob: ; connect-src https://* ws://127.0.0.1:*/ws ; media-src https://* ; object-src https://cf.dropboxstatic.com/static/ https://www.dropboxstatic.com 'self' https://flash.dropboxstatic.com https://swf.dropboxstatic.com https://dbxlocal.dropboxstatic.com ; default-src 'none' ; font-src https://* data: ; frame-src https://* carousel://* dbapi-6://* itms-apps://* itms-appss://* ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; script-src https://ajax.googleapis.com/ajax/libs/jquery/ 'unsafe-eval' 'self' https://cf.dropboxstatic.com/static/javascript/ https://www.dropboxstatic.com/static/javascript/ https://cf.dropboxstatic.com/static/api/ https://www.google.com/recaptcha/api/ 'nonce-zMSyke6U4jT5JRJroO3R' ;
  30. x-content-type-options: nosniff
  31. set-cookie: locale=en; Domain=dropbox.com; expires=Sat, 30 Jan 2021 18:09:13 GMT; Path=/; secure
  32. set-cookie: gvc=NTMxNzY3MTc1Njc5NTIwOTE0NjIxMTUxNDk5ODExNjY2ODY3NDY%3D; expires=Sat, 30 Jan 2021 18:09:13 GMT; httponly; Path=/; secure
  33. set-cookie: __Host-js_csrf=7F5ruunEHVhH-Mgq7sX2UJFZ; expires=Thu, 31 Jan 2019 18:09:13 GMT; Path=/; secure
  34. set-cookie: t=7F5ruunEHVhH-Mgq7sX2UJFZ; Domain=dropbox.com; expires=Thu, 31 Jan 2019 18:09:13 GMT; httponly; Path=/; secure
  35. set-cookie: puc=; expires=Mon, 01 Feb 2016 18:09:13 GMT; httponly; Path=/; secure
  36. x-dropbox-request-id: 2f5c7a39097f3318bbeef30813ec7289
  37. pragma: no-cache
  38. cache-control: no-cache
  39. x-dropbox-http-protocol: None
  40. x-frame-options: SAMEORIGIN
  41. X-Server-Response-Time: 273
  42. Strict-Transport-Security: max-age=15552000; includeSubDomains
Advertisement
RAW Paste Data Copied
Advertisement