W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 4 Feb 2015 20:50:49 +1100
Message-ID: <CABkgnnU0Xi7M5SG+xvP+_PgwuC-obr8UVQZ9Lz4kJ8PuFnJ9Pg@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "Oda, Terri" <terri.oda@intel.com>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 4 February 2015 at 20:00, Mike West <mkwst@google.com> wrote:
>> I don't know that I'd say *strong* objections, but I find it a hard to
>> believe that this wouldn't eventually conflict with some internet of things
>> plans.  Or rather, with some "uh oh" IoT security issue mitigation plans in
>> the future...
>
>
> IoT worries me in general.

This is a very vague objection.  Features are very hard to revoke.
And YAGNI suggests that you don't do the work until a concrete need is
identified, at which point you will know for certain what you need to
add.

> [...] I'm in favor of allowing IPv4 addresses, [...]

I certainly don't see a point of building a speculative feature for
something like IoT without IPv6 support.  Doubly so if it's not clear
how I-o-Things will be identified in practice.

As long as you have a reasonable idea how a solution might fit, why
not wait until someone really needs that feature?  You might find
questions about matching https://2/ are easier to answer then.
Received on Wednesday, 4 February 2015 09:51:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC