7

I am whitelisting domains for CSP headers. Is there any recommendation for whitelisting a big list of domain, all belonging to the same company e.g. google.de, google.fr, etc.

If I understand correctly, *.mydomain.com means both subdomains of mydomain.com and also mydomain.com itself. For security itself, it doesn't make sense to allow any top level domain of google.<tld>, yet it would be very convenient to have a shorthand way to list all google.<tld> that I can find.

Is there a shorter / better alternative to maintaining a list of all possible google.*?

jleeothon
  • 2,907
  • 4
  • 19
  • 35
  • 1
    You might be interested in the answers to this question: https://stackoverflow.com/questions/34361383/google-adwords-csp-content-security-policy-img-src/ – Barry Pollard Sep 14 '18 at 21:43

1 Answers1

6

At least for now, a seemingly reliable list would be: https://www.google.com/supported_domains

jleeothon
  • 2,907
  • 4
  • 19
  • 35