CODEWITHSUNDEEP
htmlgoogle-mapsgoogle-apicontent-security-policy
JRulz
JRulz

Reputation: 517

Unable to set Content Security Policy img-src to work with country specific domains

I Have added the following in Header so it will allow from same source, blob type images etc. and images from google maps.

img-src 'self' data: blob: https://maps.googleapis.com

In order to make it efficient google maps URLs change to country specific domains such as

http://maps.google.com.au/mapfiles/ms/icons/green-dot.png http://maps.google.co.nz/mapfiles/ms/icons/green-dot.png

We can use wildcards before the URL like the below

img-src http://*.google.com.au...

Is there anyway I can use wildcards at the end of URL like below,

img-src http:/maps.google.*

and allow accesses resources from maps.google.com.au or maps.google.co.nz etc.?

Rather than using https:* or allowing all by * I would like to use specific sources like this. Is there a way to achieve this?

Upvotes: 5

Views: 2623

Answers (2)

Keith
Keith

Reputation: 155592

The purpose of CSP is to restrict the sources that your page resources can come from.

Wildcards allow a little flexibility, so you can have:

img-src http://*.mysite.com

And then deliver sources from:

cdn1.mysite.com/...
cdn2.mysite.com/...

However, they don't work the other way because that would let anyone in.

For instance, in your example you have something like:

http://mysite.au/...
http://mysite.nz/...

So you 'protect' your site with:

img-src http://mysite.*

Now suppose I want to hack past your site? Easy - I just go buy mysite.ru, stick my malicious script on there and your site lets it in.

You might own the mysite in .au, and might own mysite in .nz, but they have nothing to do with each other and nothing to do with any other top level domain authority. This even goes for big players like maps.google.* - I'm sure there's some dodgy TLD somewhere that will sell me that domain under their country code (at least until Google sues me for it).

The wildcard pattern you're asking for would be like trusting any mail that came from "Something Street" but not caring what country that street was in.

Instead either dynamically serve up the CSP header to match the source you're using, or include every valid TLD in the CSP as a space separated list.

Upvotes: 4

adjuremods
adjuremods

Reputation: 2998

Unfortunately, wildcards for the rightmost position of the hostname doesn't work. Checking on the Content Security Policy page of HTML5Rocks, wildcards are accepted but only as

  • scheme
  • port
  • leftmost position of the hostname

Upvotes: 1

Related Questions