Often CSP implemented on websites does not follow best policies...

Random example: -https://fox-it.com/
CSP evaluator detects

default-src https:;
script-src https: ‘unsafe-inline’ ‘unsafe-eval’;
style-src https: ‘unsafe-inline’;
object-src ‘none’;
////////////////////////////////////
checkdefault-src
expand_more
errorscript-src
expand_more
errorhttps:
https: URI in script-src allows the execution of unsafe scripts.
error’unsafe-inline’
‘unsafe-inline’ allows the execution of unsafe in-page scripts and event handlers.
help_outline’unsafe-eval’
‘unsafe-eval’ allows the execution of code injected into DOM APIs such as eval().
//////////////////////////////
checkdefault-src
expand_more
checkhttps:

errorscript-src
Host whitelists can frequently be bypassed. Consider using ‘strict-dynamic’ in combination with CSP nonces or hashes.
expand_more
errorhttps:
https: URI in script-src allows the execution of unsafe scripts.
error’unsafe-inline’
‘unsafe-inline’ allows the execution of unsafe in-page scripts and event handlers.
help_outline’unsafe-eval’
‘unsafe-eval’ allows the execution of code injected into DOM APIs such as eval().
///////////////////////////////
https://fox-it.com
Directive “-https://fox-it.com” is not a known CSP directive.
RECX findings:
default-src https:; script-src https: ‘unsafe-inline’ ‘unsafe-eval’; style-src https: ‘unsafe-inline’; object-src ‘none’
Page-meta-security headers CSP not set.

Also consider the B-grade score here: https://webcookies.org/cookies/fox-it.com/28884502?365360

Advanced trackers Advanced user tracking and fingerprinting techniques are used by websites to bypass privacy protection in web browsers and increase tracking persistence.

Beacon_API
-b’navigator.sendBeacon’ … -b’navigator.sendBeacon’ … -b’navigator.sendBeacon’

X-XSS-Protection header is missing
Origin script-src ‘unsafe-inline’ allows bypassing of CSP and execution of inlined untrusted scripts. Use ‘nonce-’ or ‘sha256-’ instead

Origin script-src ‘unsafe-eval’ allows bypassing of CSP and execution of inlined untrusted scripts. Use ‘nonce-’ or ‘sha256-’ instead

Origin style-src ‘unsafe-inline’ allows bypassing of CSP and execution of inlined untrusted scripts. Use ‘nonce-’ or ‘sha256-’ instead

User tracking (blocked for me inside browser) → -https://www.google-analytics.com/analytics.js

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)