The Sad Case of the ccTLD, the CSP, and the Wildcard

Content-Security-Policy. Make it tight.

Google, allow it to reference your images so they show in the search box.

Wildcards. You can specify the left-side (*.domain) but not the right side (domain.*).

OK, lets look up the list of google domains. I'll let you Bing that. The answer is here.

Huh. That is a lot.

.google.com 
.google.ad 
.google.ae 
.google.com.af 
.google.com.ag 
.google.com.ai 
.google.al
.google.am
.google.co.ao
.google.com.ar
...

Its larger than the probably allowable size of a Content-Security-Policy header. What is one to do? make img-src be *? But then the ad malware wanders in. Pick a few and hope?

Anyone have a suggestion for a best practice?

1 Comment on “The Sad Case of the ccTLD, the CSP, and the Wildcard

Leave a Reply

Your email address will not be published. Required fields are marked *

*