W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

From: Mike West <mkwst@google.com>
Date: Wed, 4 Feb 2015 10:00:23 +0100
Message-ID: <CAKXHy=fta-iYk9OY36Goy532j-=U=7=AmVHD=mDzjoeDQVUHeA@mail.gmail.com>
To: "Oda, Terri" <terri.oda@intel.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Feb 4, 2015 at 3:01 AM, Oda, Terri <terri.oda@intel.com> wrote:

> On Wed, Jan 21, 2015 at 5:23 AM, Mike West <mkwst@google.com> wrote:
>> Any strong objections to changing the algorithm to always return "does
>> not match" when presented with an IP address?
> I don't know that I'd say *strong* objections, but I find it a hard to
> believe that this wouldn't eventually conflict with some internet of things
> plans.  Or rather, with some "uh oh" IoT security issue mitigation plans in
> the future...

IoT worries me in general.

I think for CSP2, I'm in favor of allowing IPv4 addresses, adding metrics
to user agents to see how widely used they are, and circling back to the
question of IoT once those groups are further along with their plans. It's
not really clear to me how those devices will be identified, so I'd like
not to lock anything in/out right now.


Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 4 February 2015 09:01:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC