W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2016

Re: [CSP] Geotargetting?

From: Jacob Bednarz <jacob.bednarz@gmail.com>
Date: Thu, 3 Mar 2016 09:31:52 +1100
Message-ID: <CAOiVBi7NAaqsgh=fHAT1_89ocfb3LWBTk2Jup=33faPTsMLc9w@mail.gmail.com>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Cc: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>
Hi,
Sorry to bring up an old topic but this has popped up again and I'm still
without a viable solution. Here are some of my thoughts:

- Adding all Google domains to a whitelist: There are alot and I don't
really want every single domain in there due to the sheer number required.
- Allowing all image traffic to be requested: This kind of defeats the
purpose of why we set out in implementing a content security policy.
- Proxying all Google traffic: While this sounds viable I'm wondering
whether there will be any implications or consequences of doing this for
our analytics or ads setup but I'm unable to test this reliably until it's
in production which then becomes too late for our data if it ends up
botched.

Has anyone else had experience with this or have any ideas that differ from
the above?

Mike, do you have any insights from the Google side of things that might
help here?

Thanks!

On Sat, Jan 10, 2015 at 5:11 AM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:

> * Jacob Bednarz wrote:
> >I completely agree and to be honest I don't have any solutions that could
> >be implemented within a CSP that wouldn't compromise the
> >(intended) security or performance. The only thing I considered was
> regular
> >expressions but they would imposed a terrible performance overhead.
>
> It seems rather unlikely that they would.
> --
> Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
> D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de
>  Available for hire in Berlin (early 2015)  · http://www.websitedev.de/
>
Received on Wednesday, 2 March 2016 22:32:20 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:18 UTC