W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

[CSP] Geotargetting?

From: Jacob Bednarz <jacob.bednarz@gmail.com>
Date: Fri, 9 Jan 2015 18:19:10 +1000 (AEST)
To: public-webappsec@w3.org
Message-ID: <alpine.OSX.2.11.1501091804550.88159@jacobs-macbook-pro.local>
I work on a project that houses about 80 websites. We provide the base 
framework and infrastructure and then a site specific developer can 
implement further changes at the site level. One of the things we are 
looking at doing at the moment is implementing a content security policy 
for all sites. So far this has been pretty smooth and we have seen great 
gains from implementing it. Unfortunately, we hit a bit of a snag with 
services (mainly Google) serving assests from localised domains.

Example: A customer in India is using Google services and the assets are 
being served from https://google.co.in whereas a customer in the UK is 
using the same services and getting the assets delivered from 

>From what I have tested, unless I add every single localised domain to the 
desired directives I cannot roll out the content security policy (as 
expressions such as http://google.co* are invalid).

Is there any other approach I could take with this? Or is there something 
I have blindly missed? If there is not a solution currently in place, is 
this something worth looking at trying to implement or is this an edge 
case that wouldn't benefit being added to the spec?

Thanks in advance,
Received on Friday, 9 January 2015 09:23:44 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC