- From: Jacob Bednarz <jacob.bednarz@gmail.com>
- Date: Fri, 9 Jan 2015 20:07:16 +1000
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WebAppSec WG <public-webappsec@w3.org>
Received on Friday, 9 January 2015 10:07:46 UTC
Hey, I completely agree and to be honest I don't have any solutions that could be implemented within a CSP that wouldn't compromise the (intended) security or performance. The only thing I considered was regular expressions but they would imposed a terrible performance overhead. Perhaps a HTTP header (such as (X-Geolocation: true) could be an indicator for services such as Google to serve from a single domain for the purpose of content security policies? On Friday, January 9, 2015, Anne van Kesteren <annevk@annevk.nl> wrote: > On Fri, Jan 9, 2015 at 9:19 AM, Jacob Bednarz <jacob.bednarz@gmail.com > <javascript:;>> wrote: > > Is there any other approach I could take with this? Or is there > something I > > have blindly missed? If there is not a solution currently in place, is > this > > something worth looking at trying to implement or is this an edge case > that > > wouldn't benefit being added to the spec? > > It's difficult. E.g. if you whitelist google.co*, what about > google.co.evil.com? Or google.co.kitchen? It seems best to enumerate > the domains you trust. > > > -- > https://annevankesteren.nl/ >
Received on Friday, 9 January 2015 10:07:46 UTC