gmail csp 设置

readme.md

20200721

记录 https://mail.google.com/mail/u/0/#inbox 页面 的 CSP 设置

content-security-policy: script-src https://clients4.google.com/insights/consumersurveys/ https://www.google.com/js/bg/ 'self' 'unsafe-inline' 'unsafe-eval' https://mail.google.com/_/scs/mail-static/ https://hangouts.google.com/ https://talkgadget.google.com/ https://*.talkgadget.google.com/ https://www.googleapis.com/appsmarket/v2/installedApps/ https://www-gm-opensocial.googleusercontent.com/gadgets/js/ https://docs.google.com/static/doclist/client/js/ https://www.google.com/tools/feedback/ https://s.ytimg.com/yts/jsbin/ https://www.youtube.com/iframe_api https://apis.google.com/_/scs/abc-static/ https://apis.google.com/js/ https://clients1.google.com/complete/ https://apis.google.com/_/scs/apps-static/_/js/ https://ssl.gstatic.com/inputtools/js/ https://inputtools.google.com/request https://ssl.gstatic.com/cloudsearch/static/o/js/ https://www.gstatic.com/feedback/js/ https://www.gstatic.com/common_sharing/static/client/js/ https://www.gstatic.com/og/_/js/ https://pagead2.googlesyndication.com/pagead/gadgets/gmail_ads/leadgen/;frame-src https://clients4.google.com/insights/consumersurveys/ https://calendar.google.com/accounts/ https://ogs.google.com https://onegoogle-autopush.sandbox.google.com 'self' https://accounts.google.com/ https://apis.google.com/u/ https://apis.google.com/_/streamwidgets/ https://clients6.google.com/static/ https://content.googleapis.com/static/ https://mail-attachment.googleusercontent.com/ https://www.google.com/calendar/ https://calendar.google.com/calendar/ https://docs.google.com/ https://drive.google.com https://*.googleusercontent.com/docs/securesc/ https://feedback.googleusercontent.com/resources/ https://www.google.com/tools/feedback/ https://support.google.com/inapp/ https://*.googleusercontent.com/gadgets/ifr https://hangouts.google.com/ https://talkgadget.google.com/ https://*.talkgadget.google.com/ https://www-gm-opensocial.googleusercontent.com/gadgets/ https://plus.google.com/ https://wallet.google.com/gmail/ https://www.youtube.com/embed/ https://clients5.google.com/pagead/drt/dn/ https://clients5.google.com/ads/measurement/jn/ https://www.gstatic.com/mail/ww/ https://www.gstatic.com/mail/intl/ https://clients5.google.com/webstore/wall/ https://ci3.googleusercontent.com/ https://gsuite.google.com/u/ https://gsuite.google.com/marketplace/appfinder https://www.gstatic.com/mail/promo/ https://notifications.google.com/ https://tracedepot-pa.clients6.google.com/static/ https://staging-taskassist-pa-googleapis.sandbox.google.com https://taskassist-pa.clients6.google.com https://*.prod.amp4mail.googleusercontent.com/ https://*.client-channel.google.com/client-channel/client https://clients4.google.com/invalidation/lcs/client https://tasks.google.com/embed/ https://keep.google.com/companion https://addons.gsuite.google.com https://contacts.google.com/widget/hovercard/v/2 https://*.googleusercontent.com/confidential-mail/attachments/;report-uri https://mail.google.com/mail/cspreport;object-src https://mail-attachment.googleusercontent.com/attachment/, script-src 'report-sample' 'nonce-AAgFrGyxkYZwmow5GuZhcA' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://mail.google.com/mail/cspreport

content-security-policy: 
  script-src 
    https://clients4.google.com/insights/consumersurveys/ 
    https://www.google.com/js/bg/ 
    'self' 
    'unsafe-inline' 
    'unsafe-eval' 
    https://mail.google.com/_/scs/mail-static/ 
    https://hangouts.google.com/ 
    https://talkgadget.google.com/ 
    https://*.talkgadget.google.com/ 
    https://www.googleapis.com/appsmarket/v2/installedApps/ 
    https://www-gm-opensocial.googleusercontent.com/gadgets/js/ 
    https://docs.google.com/static/doclist/client/js/ 
    https://www.google.com/tools/feedback/ 
    https://s.ytimg.com/yts/jsbin/ 
    https://www.youtube.com/iframe_api 
    https://apis.google.com/_/scs/abc-static/ 
    https://apis.google.com/js/ 
    https://clients1.google.com/complete/ 
    https://apis.google.com/_/scs/apps-static/_/js/ 
    https://ssl.gstatic.com/inputtools/js/ 
    https://inputtools.google.com/request 
    https://ssl.gstatic.com/cloudsearch/static/o/js/ 
    https://www.gstatic.com/feedback/js/ 
    https://www.gstatic.com/common_sharing/static/client/js/ 
    https://www.gstatic.com/og/_/js/ 
    https://pagead2.googlesyndication.com/pagead/gadgets/gmail_ads/leadgen/;
  frame-src 
    https://clients4.google.com/insights/consumersurveys/ 
    https://calendar.google.com/accounts/ 
    https://ogs.google.com 
    https://onegoogle-autopush.sandbox.google.com 
    'self' 
    https://accounts.google.com/ 
    https://apis.google.com/u/ 
    https://apis.google.com/_/streamwidgets/ 
    https://clients6.google.com/static/ 
    https://content.googleapis.com/static/ 
    https://mail-attachment.googleusercontent.com/ 
    https://www.google.com/calendar/ 
    https://calendar.google.com/calendar/ 
    https://docs.google.com/ 
    https://drive.google.com 
    https://*.googleusercontent.com/docs/securesc/ 
    https://feedback.googleusercontent.com/resources/ 
    https://www.google.com/tools/feedback/ 
    https://support.google.com/inapp/ 
    https://*.googleusercontent.com/gadgets/ifr 
    https://hangouts.google.com/ 
    https://talkgadget.google.com/ 
    https://*.talkgadget.google.com/ 
    https://www-gm-opensocial.googleusercontent.com/gadgets/ 
    https://plus.google.com/ 
    https://wallet.google.com/gmail/ 
    https://www.youtube.com/embed/ 
    https://clients5.google.com/pagead/drt/dn/ 
    https://clients5.google.com/ads/measurement/jn/ 
    https://www.gstatic.com/mail/ww/ 
    https://www.gstatic.com/mail/intl/ 
    https://clients5.google.com/webstore/wall/ 
    https://ci3.googleusercontent.com/ 
    https://gsuite.google.com/u/ 
    https://gsuite.google.com/marketplace/appfinder 
    https://www.gstatic.com/mail/promo/ 
    https://notifications.google.com/ 
    https://tracedepot-pa.clients6.google.com/static/ 
    https://staging-taskassist-pa-googleapis.sandbox.google.com 
    https://taskassist-pa.clients6.google.com 
    https://*.prod.amp4mail.googleusercontent.com/ 
    https://*.client-channel.google.com/client-channel/client 
    https://clients4.google.com/invalidation/lcs/client 
    https://tasks.google.com/embed/ 
    https://keep.google.com/companion 
    https://addons.gsuite.google.com 
    https://contacts.google.com/widget/hovercard/v/2 
    https://*.googleusercontent.com/confidential-mail/attachments/;
  report-uri 
    https://mail.google.com/mail/cspreport;
  object-src https://mail-attachment.googleusercontent.com/attachment/, 
  script-src 
    'report-sample' 
    'nonce-AAgFrGyxkYZwmow5GuZhcA' 
    'unsafe-inline' 
    'strict-dynamic' 
    https: 
    http: 
    'unsafe-eval';
  object-src 
    'none';
  base-uri 
    'self';
  report-uri 
    https://mail.google.com/mail/cspreport