The Sad Case of the ccTLD, the CSP, and the Wildcard

Content-Security-Policy. Make it tight.

Google, allow it to reference your images so they show in the search box.

Wildcards. You can specify the left-side (*.domain) but not the right side (domain.*).

OK, lets look up the list of google domains. I’ll let you Bing that. The answer is here.

Huh. That is a lot.

.google.com 
.google.ad 
.google.ae 
.google.com.af 
.google.com.ag 
.google.com.ai 
.google.al
.google.am
.google.co.ao
.google.com.ar
...

Its larger than the probably allowable size of a Content-Security-Policy header. What is one to do? make img-src be *? But then the ad malware wanders in. Pick a few and hope?

Anyone have a suggestion for a best practice?

Posted

in

by

db

Tags:

Comments

4 Responses to “The Sad Case of the ccTLD, the CSP, and the Wildcard”

  1. Zac

    Man, that fourth one is google AF

    Reply
  2. Anonymous

    Hmm is anyone else encountering problems with the
    images on this blog loading? I’m trying to find out if its a problem on my end or if it’s the blog.
    Any feedback would be greatly appreciated.

    Reply
    1. db

      That would be my challenge with the content-security-policy.
      You may have a virus or redirector that is serving you fake ads.
      You reference `https://lokasi4d.net/` which is … doing this.

      My content-security-policy only allows user-generated content from this site to prevent this from occurring.

      Reply
  3. Anonymous

    Hi there friends, its impressive post regarding teachingand
    fully explained, keep it up all the time.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *