Specify Hosts in a CSP (rather than *.example.com)

a red circle with a line through it overlayed on the asterisk of *.example.com with apache conf background
Whare are the implications of the DNS subdomain takeover attack for CSP (Content-Security-Policy)?

If one creates a CSP (Content-Security-Policy) directive for one's http security headers (and one should) it seems one ought refrain from using the asterisk (*) character when allowing hosts, and other than one's own domain, one ought not allow entire domains when drawing resources from outside.

Consider this common style of advice one finds, when looking on the Internet for advice about how to configure CSP.

Header set Content-Security-Policy: script-src *.google.com *.adroll.com;

Consider also this recent discussion of a "subdomain takeover" attack [Microsoft subdomain takeover @ Hacker News], which was demonstrated humorously by someone who isn't an official representative of Microsoft registering a subdomain for cseo-coherence . microsoft . com (subsequently fixed).

Ad service companies (such as "adroll.com" in that CSP example) are particularly interesting. They're often a bit shady anyway, and some have historically been very poorly run from a security perspective.

Advertising network servers are also under continual assault because they make really great places from which to launch massive cross-site scripting attacks on against their customers (you) and from there the general public (visiting your website).

So, rather than *.adroll.com or adroll.com in your CSP, it's probably best to find out the list of hosts from which your site will load resources, and enumerate those each specifically.

Amusingly, the easiest place to find that list is probably the Steven Black host file block list.

There are those who suggest that one should only allow specific resources via a hash, not even hosts. Others say one should host local copies of everything you need and disallow resource loading from other sites.

They have their arguments, even if I think they're a little pedantic and impractical, it's probably worth pondering that balance.

My own impression is that fonts and certain core javascript should probably be fetched from a CDN (Content Delivery Network)