See: https://webcookies.org/cookies/www.onesearch.com/28899335?930381
persistent tracking going on there.
P3P is a mostly abandoned standard for website privacy policy declaration that has little use today.
Please consider switching to DoNotTrack standard.
On CSP miconfiguration:
Content Security Policy frame-ancestors 'none'; default-src 'self' -https://*.onesearch.com; script-src 'self' 'unsafe-inline' 'nonce-DUH8wO761xGKs9Odg+OtUg==' 'unsafe-eval'-https://*.onesearch.com; style-src 'self' 'unsafe-inline' -https://*.onesearch.com; img-src 'self' data: -https://*.onesearch.com; frame-src 'self'; media-src *; object-src *; connect-src -https://*.onesearch.com; font-src * data:; report-uri -https://www.onesearch.com/notracking/beacon/csp?src=privatesearch; Policy delivery method: Content-Security-Policy Enforcement: True No base-uri allows attackers to inject base tags which override the base URI to an attacker-controlled origin. Set to 'none' unless you need to handle tricky relative URLs schemeConsider adding block-all-mixed-content directive if your website is only accessible over TLS and you are certain it doesn not have any legacy plaintext resources. Otherwise you may add adding upgrade-insecure-requests directive if your website may still have some legacy plaintext HTTP resources and you want them to be still available rather than blocked
You should definitely try using ‘strict-dynamic’ to eliminate those long lists of trusted third-party scripts
Consider using script-src ‘report-sample’ as it significantly helps debugging CSP reports. See specification
Origin script-src ‘unsafe-inline’ allows bypassing of CSP and execution of inlined untrusted scripts. Use ‘nonce-’ or ‘sha256-’ instead
Origin script-src ‘unsafe-eval’ allows bypassing of CSP and execution of inlined untrusted scripts. Use ‘nonce-’ or ‘sha256-’ instead
Origin style-src ‘unsafe-inline’ allows bypassing of CSP and execution of inlined untrusted scripts. Use ‘nonce-’ or ‘sha256-’ instead
The img-src data: origin allows bypassing CSP and execution of inlined untrusted scripts
The font-src data: origin allows bypassing CSP and execution of inlined untrusted scripts
Content Security Policy (CSP) implemented unsafely.
This includes ‘unsafe-inline’ or data: inside script-src, overly broad sources such as https: inside object-src or script-src, or not restricting the sources for object-src or script-src.
Also consider these B+ standard scan results: https://observatory.mozilla.org/analyze/www.onesearch.com
Tracking connection security: This website is secured
100% of the trackers on this site are helping protect you from NSA snooping. Why not thank onesearch dot com for being secure?
All trackers
At least 2 third parties know you are on this webpage.
-cdn.onesearch.com
-www.onesearch.com -www.onesearch.com
Tracker is tracking with some safety measures.
Tracker does not support secure transmission.
HTML validation check report: https://validator.w3.org/nu/?doc=https%3A%2F%2Fwww.onesearch.com%2F
Select the elements you want to hide on this page.SaveCancel
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)