It looks like Facebook is using the experimental CSP headers today. I am kinda amused by some of the whitelisted domains and apps.<p>I have provided here for your amusement.<p><pre><code> x-webkit-csp:default-src *;
script-src https://*.facebook.com
http://*.facebook.com
https://*.fbcdn.net
http://*.fbcdn.net
*.facebook.net
*.google-analytics.com
*.virtualearth.net
*.google.com
127.0.0.1:*
*.spotilocal.com:*
chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl
'unsafe-inline'
'unsafe-eval'
https://*.akamaihd.net
http://*.akamaihd.net;
style-src * 'unsafe-inline';
connect-src https://*.facebook.com
http://*.facebook.com
https://*.fbcdn.net
http://*.fbcdn.net
*.facebook.net
*.spotilocal.com:*
https://*.akamaihd.net
ws://*.facebook.com:*
http://*.akamaihd.net;</code></pre>
For the less informed CSPs are a new web tool to help websites defend against cross site scripting.<p>Here is a definition of the spec, although this is only implemented for chrome, and safari.
<a href="http://people.mozilla.org/~bsterne/content-security-policy/details.html" rel="nofollow">http://people.mozilla.org/~bsterne/content-security-policy/d...</a>