API tools faq
paste
Advertisement
ScottHelme

Dropbox issuing CSP header based on browser.

ScottHelme
Feb 1st, 2016
866
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.98 KB | None | 0 0
raw download clone embed print report
  1. scott@securityheaders:~/Per$ curl -A "Mozilla/5.0 (Windows NT 6.1; rv:27.3) Gecko/20130101 Firefox/27.3" -I https://www.dropbox.com/
  2. HTTP/1.1 200 OK
  3. Server: nginx
  4. Date: Mon, 01 Feb 2016 18:09:04 GMT
  5. Content-Type: text/html; charset=utf-8
  6. Connection: keep-alive
  7. x-xss-protection: 1; mode=block
  8. x-content-type-options: nosniff
  9. set-cookie: locale=en; Domain=dropbox.com; expires=Sat, 30 Jan 2021 18:09:04 GMT; Path=/; secure
  10. set-cookie: gvc=MjE1MDg1NzA3OTg0MjM5NDYyMzAwNDI4Mjk3NTA4MTgwMDA0OTI0; expires=Sat, 30 Jan 2021 18:09:04 GMT; httponly; Path=/; secure
  11. set-cookie: __Host-js_csrf=HEIhi59qjkb4huRRVkcVj2fN; expires=Thu, 31 Jan 2019 18:09:04 GMT; Path=/; secure
  12. set-cookie: t=HEIhi59qjkb4huRRVkcVj2fN; Domain=dropbox.com; expires=Thu, 31 Jan 2019 18:09:04 GMT; httponly; Path=/; secure
  13. set-cookie: puc=; expires=Mon, 01 Feb 2016 18:09:04 GMT; httponly; Path=/; secure
  14. x-dropbox-request-id: 11ec0d4ec7b22f10ce256aec1fde7c7b
  15. pragma: no-cache
  16. cache-control: no-cache
  17. x-dropbox-http-protocol: None
  18. x-frame-options: SAMEORIGIN
  19. X-Server-Response-Time: 233
  20. Strict-Transport-Security: max-age=15552000; includeSubDomains
  21.  
  22. scott@securityheaders:~/Per$ curl -A "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" -I https://www.dropbox.com/
  23. HTTP/1.1 200 OK
  24. Server: nginx
  25. Date: Mon, 01 Feb 2016 18:09:13 GMT
  26. Content-Type: text/html; charset=utf-8
  27. Connection: keep-alive
  28. x-xss-protection: 1; mode=block
  29. content-security-policy: img-src https://* data: blob: ; connect-src https://* ws://127.0.0.1:*/ws ; media-src https://* ; object-src https://cf.dropboxstatic.com/static/ https://www.dropboxstatic.com 'self' https://flash.dropboxstatic.com https://swf.dropboxstatic.com https://dbxlocal.dropboxstatic.com ; default-src 'none' ; font-src https://* data: ; frame-src https://* carousel://* dbapi-6://* itms-apps://* itms-appss://* ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; script-src https://ajax.googleapis.com/ajax/libs/jquery/ 'unsafe-eval' 'self' https://cf.dropboxstatic.com/static/javascript/ https://www.dropboxstatic.com/static/javascript/ https://cf.dropboxstatic.com/static/api/ https://www.google.com/recaptcha/api/ 'nonce-zMSyke6U4jT5JRJroO3R' ;
  30. x-content-type-options: nosniff
  31. set-cookie: locale=en; Domain=dropbox.com; expires=Sat, 30 Jan 2021 18:09:13 GMT; Path=/; secure
  32. set-cookie: gvc=NTMxNzY3MTc1Njc5NTIwOTE0NjIxMTUxNDk5ODExNjY2ODY3NDY%3D; expires=Sat, 30 Jan 2021 18:09:13 GMT; httponly; Path=/; secure
  33. set-cookie: __Host-js_csrf=7F5ruunEHVhH-Mgq7sX2UJFZ; expires=Thu, 31 Jan 2019 18:09:13 GMT; Path=/; secure
  34. set-cookie: t=7F5ruunEHVhH-Mgq7sX2UJFZ; Domain=dropbox.com; expires=Thu, 31 Jan 2019 18:09:13 GMT; httponly; Path=/; secure
  35. set-cookie: puc=; expires=Mon, 01 Feb 2016 18:09:13 GMT; httponly; Path=/; secure
  36. x-dropbox-request-id: 2f5c7a39097f3318bbeef30813ec7289
  37. pragma: no-cache
  38. cache-control: no-cache
  39. x-dropbox-http-protocol: None
  40. x-frame-options: SAMEORIGIN
  41. X-Server-Response-Time: 273
  42. Strict-Transport-Security: max-age=15552000; includeSubDomains
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!