W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [CSP] Geotargetting?

From: Brad Hill <hillbrad@gmail.com>
Date: Fri, 09 Jan 2015 17:00:41 +0000
Message-ID: <CAEeYn8j5V5=uNvj9r7OHEaC6++DkxJ6LPwX64fuC2wP=xSupfw@mail.gmail.com>
To: Jacob Bednarz <jacob.bednarz@gmail.com>, Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
There is (in the editor's draft, scheduled to be part of the CR) the
client-hint header:

https://w3c.github.io/webappsec/specs/content-security-policy/#csp-request-header

Which instructs the user agent to send a header "CSP: active" with
non-same-origin requests originating from a CSP-protected resource.  This
could be taken as a signal not to do retargeting that changes the domain.

But yes, it doesn't help you much if the sites serving content don't listen
to or respect that, and it's not widely implemented yet - perhaps only in
(very recent) versions of Chrome.

On Fri Jan 09 2015 at 2:09:32 AM Jacob Bednarz <jacob.bednarz@gmail.com>
wrote:

> Hey,
> I completely agree and to be honest I don't have any solutions that could
> be implemented within a CSP that wouldn't compromise the
> (intended) security or performance. The only thing I considered was regular
> expressions but they would imposed a terrible performance overhead.
>
> Perhaps a HTTP header (such as (X-Geolocation: true) could be an indicator
> for services such as Google to serve from a single domain for the purpose
> of content security policies?
>
>
> On Friday, January 9, 2015, Anne van Kesteren <annevk@annevk.nl> wrote:
>
>> On Fri, Jan 9, 2015 at 9:19 AM, Jacob Bednarz <jacob.bednarz@gmail.com>
>> wrote:
>> > Is there any other approach I could take with this? Or is there
>> something I
>> > have blindly missed? If there is not a solution currently in place, is
>> this
>> > something worth looking at trying to implement or is this an edge case
>> that
>> > wouldn't benefit being added to the spec?
>>
>> It's difficult. E.g. if you whitelist google.co*, what about
>> google.co.evil.com? Or google.co.kitchen? It seems best to enumerate
>> the domains you trust.
>>
>>
>> --
>> https://annevankesteren.nl/
>>
>
Received on Friday, 9 January 2015 17:01:08 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC