W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [CSP] Geotargetting?

From: Jacob Bednarz <jacob.bednarz@gmail.com>
Date: Fri, 9 Jan 2015 20:07:16 +1000
Message-ID: <CAOiVBi7zARRDVdsq6qQpRK3d7=pF_S0wuL2E9h95wnjYXVKnEQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
Hey,
I completely agree and to be honest I don't have any solutions that could
be implemented within a CSP that wouldn't compromise the
(intended) security or performance. The only thing I considered was regular
expressions but they would imposed a terrible performance overhead.

Perhaps a HTTP header (such as (X-Geolocation: true) could be an indicator
for services such as Google to serve from a single domain for the purpose
of content security policies?

On Friday, January 9, 2015, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Fri, Jan 9, 2015 at 9:19 AM, Jacob Bednarz <jacob.bednarz@gmail.com
> <javascript:;>> wrote:
> > Is there any other approach I could take with this? Or is there
> something I
> > have blindly missed? If there is not a solution currently in place, is
> this
> > something worth looking at trying to implement or is this an edge case
> that
> > wouldn't benefit being added to the spec?
>
> It's difficult. E.g. if you whitelist google.co*, what about
> google.co.evil.com? Or google.co.kitchen? It seems best to enumerate
> the domains you trust.
>
>
> --
> https://annevankesteren.nl/
>
Received on Friday, 9 January 2015 10:07:46 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC