W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [CSP] Relative/absolute hostname matching

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 7 Nov 2014 11:21:44 +0100
Message-ID: <CADnb78hnQXbRvktYie=xAk-skkN15tELoiSb8KZ0UApqnHPrdA@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Boris Zbarsky <bzbarsky@mit.edu>, Valentin Gosu <valentin.gosu@gmail.com>
On Fri, Nov 7, 2014 at 11:05 AM, Mike West <mkwst@google.com> wrote:
> My worry is that we'd be unable to support internal names on intranets. For
> instance, consider an internal shortlinking service named
> `go.internal.megacorp.com`, which is accessible by typing `go`. If we
> automagically assume that `go` is `go.`, then we'd break the resolution,
> right?

I suppose we would, yes. Seems hard for such a service to protect
itself from the internal network if the setup was like that though,
no?


> I think we'd have to limit the behavior to public suffixes, which seems
> strange to bring into URL parsing.

Agreed.

So either we make it a UA-initiated redirect for public suffixes or we
just deal with the brokenness and define that for certificates (and
HSTS, anything else?) they are identical.


-- 
https://annevankesteren.nl/
Received on Friday, 7 November 2014 10:22:10 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC