Content-Security-Policy. Make it tight.

Google, allow it to reference your images so they show in the search box.

Wildcards. You can specify the left-side (*.domain) but not the right side (domain.*).

OK, lets look up the list of google domains. I’ll let you Bing that. The answer is here.

Huh. That is a lot.

Its larger than the probably allowable size of a Content-Security-Policy header. What is one to do? make img-src be *? But then the ad malware wanders in. Pick a few and hope?

Anyone have a suggestion for a best practice?

I see a lot of entries for (purposely not linked) in my Content-Security-Policy logs. These are folks who have some malware installed on their desktop, when they surf to my blog, they get redirected and advertising injected. Except that my CSP forbids this (since I don’t allow them img-src or script-src permission).

I wrote about this earlier. I’m appalled that such things exist. I’m also saddened that its come to this, a spy-vs-spy one-upmanship games where people like me spend time adding rules to prevent malware writers from taking advantage of folks.

Once again, I’ll suggest an action. Head to Enter a site name that you use. If it doesn’t get a great score, write to the owner: get it fixed.


Something interesting / disturbing just happened to me. I was trying out my new bluetooth headset to make sure it supported aptX and would pair to two devices. So, while watching a youtube video, i used skype to dial my phone.

Oddly, I got a high-fidelity playback of my voice mail (ironically a bunch of CRA scams). Hmm, but its not from the phone. Its from the PC. Weird.

So I dig in a bit. It turns out that if my caller ID is set to my own phone number, it just assumes its me and starts playing.

Given that caller ID is trivial to spoof, this means there’s really no security here.

Anyone else care to try this? I tried on Koodoo if it matters.