I am testing CSP header implementation. The implemented header value is:
Content-Security-Policy: default-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'
X-Content-Security-Policy: default-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'
X-WebKit-CSP: default-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'
I know that because of unsafe-inline it is not recommended configuration, but I do not understend the meaning of "data:" as URI. If it is a URI that should mean that data is a scheme (like https, ftp etc.), but I don't understand the purpose of this?
Additionally is it recommended to use also X-Content-Security-Policy and X-WebKit-CSP headers, aren't they deprecated?