Re: [CSP] Geotargetting?

Hey,
I completely agree and to be honest I don't have any solutions that could
be implemented within a CSP that wouldn't compromise the
(intended) security or performance. The only thing I considered was regular
expressions but they would imposed a terrible performance overhead.

Perhaps a HTTP header (such as (X-Geolocation: true) could be an indicator
for services such as Google to serve from a single domain for the purpose
of content security policies?

On Friday, January 9, 2015, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Fri, Jan 9, 2015 at 9:19 AM, Jacob Bednarz <jacob.bednarz@gmail.com
> <javascript:;>> wrote:
> > Is there any other approach I could take with this? Or is there
> something I
> > have blindly missed? If there is not a solution currently in place, is
> this
> > something worth looking at trying to implement or is this an edge case
> that
> > wouldn't benefit being added to the spec?
>
> It's difficult. E.g. if you whitelist google.co*, what about
> google.co.evil.com? Or google.co.kitchen? It seems best to enumerate
> the domains you trust.
>
>
> --
> https://annevankesteren.nl/
>

Received on Friday, 9 January 2015 10:07:46 UTC