Today, I asked DeepSeek-R1-Distill-Qwen-32B to fix a Content Security Policy (CSP) header based on a report.
Instead of just adding the missing host, it also added https://cdnjs.cloudflare.com.
After me asking why it did that, it gave me a generic "check your JavaScript loading patterns" 🤷
Assuming no malicious intent, this suggests that having cloudflare in the connect section of a CSP has become a defining feature for the LLM.
Anyhow, this would open up a huge security hole if unchecked. So expect to see that in the near future on some big sites.
Donate ♥
Imprint
Datenschutz
Archive
