- From: Jacob Bednarz <jacob.bednarz@gmail.com>
- Date: Fri, 9 Jan 2015 18:19:10 +1000 (AEST)
- To: public-webappsec@w3.org
Hey, I work on a project that houses about 80 websites. We provide the base framework and infrastructure and then a site specific developer can implement further changes at the site level. One of the things we are looking at doing at the moment is implementing a content security policy for all sites. So far this has been pretty smooth and we have seen great gains from implementing it. Unfortunately, we hit a bit of a snag with services (mainly Google) serving assests from localised domains. Example: A customer in India is using Google services and the assets are being served from https://google.co.in whereas a customer in the UK is using the same services and getting the assets delivered from https://google.co.uk >From what I have tested, unless I add every single localised domain to the desired directives I cannot roll out the content security policy (as expressions such as http://google.co* are invalid). Is there any other approach I could take with this? Or is there something I have blindly missed? If there is not a solution currently in place, is this something worth looking at trying to implement or is this an edge case that wouldn't benefit being added to the spec? Thanks in advance, Jacob.
Received on Friday, 9 January 2015 09:23:44 UTC