tidied up the CSP lines

vulnerabilities/csp/source/high.php

 <?php
-//CSP only works in modern browsers Chrome 25+, Firefox 23+, Safari 7+
-$headerCSP = "Content-Security-Policy:".
-"connect-src 'self' ;". // XMLHttpRequest (AJAX request), WebSocket or EventSource.
-"default-src 'self';". // Default policy for loading html elements
-"frame-ancestors 'self' ;". //allow parent framing - this one blocks click jacking and ui redress
-"frame-src 'none';". // vaid sources for frames
-"media-src 'self';". // vaid sources for media (audio and video html tags src)
-"object-src 'none'; ". // valid object embed and applet tags src
-"script-src 'self';" .
-"style-src 'self' 'unsafe-inline';";// allows css from self and inline allows inline css
+$headerCSP = "Content-Security-Policy: script-src 'self';";
 
 header($headerCSP);
 

vulnerabilities/csp/source/impossible.php

 <?php
-$nonce = hash('ripemd160', mt_rand() . time());
 
-
-//CSP only works in modern browsers Chrome 25+, Firefox 23+, Safari 7+
-$headerCSP = "Content-Security-Policy:".
-"connect-src 'self' ;". // XMLHttpRequest (AJAX request), WebSocket or EventSource.
-"default-src 'self';". // Default policy for loading html elements
-"frame-ancestors 'self' ;". //allow parent framing - this one blocks click jacking and ui redress
-"frame-src 'none';". // vaid sources for frames
-"media-src 'self';". // vaid sources for media (audio and video html tags src)
-"object-src 'none'; ". // valid object embed and applet tags src
-"script-src 'self';" .
-"style-src 'self' 'unsafe-inline';";// allows css from self and inline allows inline css
+$headerCSP = "Content-Security-Policy: script-src 'self';";
 
 header($headerCSP);
 

vulnerabilities/csp/source/low.php

 <?php
-//CSP only works in modern browsers Chrome 25+, Firefox 23+, Safari 7+
-$headerCSP = "Content-Security-Policy:".
-"connect-src 'self' ;". // XMLHttpRequest (AJAX request), WebSocket or EventSource.
-"default-src 'self';". // Default policy for loading html elements
-"frame-ancestors 'self' ;". //allow parent framing - this one blocks click jacking and ui redress
-"frame-src 'none';". // vaid sources for frames
-"media-src 'self';". // vaid sources for media (audio and video html tags src)
-"object-src 'none'; ". // valid object embed and applet tags src
-"script-src 'self' https://pastebin.com  example.com code.jquery.com https://ssl.google-analytics.com ;". // allows js from self, pastebin.com, jquery and google analytics.
-"style-src 'self' 'unsafe-inline';";// allows css from self and inline allows inline css
+
+$headerCSP = "Content-Security-Policy: script-src 'self' https://pastebin.com  example.com code.jquery.com https://ssl.google-analytics.com ;"; // allows js from self, pastebin.com, jquery and google analytics.
 
 header($headerCSP);
 

vulnerabilities/csp/source/medium.php

 <?php
-//CSP only works in modern browsers Chrome 25+, Firefox 23+, Safari 7+
-$headerCSP = "Content-Security-Policy:".
-"connect-src 'self' ;". // XMLHttpRequest (AJAX request), WebSocket or EventSource.
-"default-src 'self';". // Default policy for loading html elements
-"frame-ancestors 'self' ;". //allow parent framing - this one blocks click jacking and ui redress
-"frame-src 'none';". // vaid sources for frames
-"media-src 'self';". // vaid sources for media (audio and video html tags src)
-"object-src 'none'; ". // valid object embed and applet tags src
-"script-src 'self' 'unsafe-inline' 'nonce-TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=';" .
-"style-src 'self' 'unsafe-inline';";// allows css from self and inline allows inline css
+
+$headerCSP = "Content-Security-Policy: script-src 'self' 'unsafe-inline' 'nonce-TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=';";
 
 header($headerCSP);