W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

From: Mike West <mkwst@google.com>
Date: Wed, 4 Feb 2015 11:24:26 +0100
Message-ID: <CAKXHy=cKwvhMs6VhRb5RMBQP28b8Wgik2=AwDD1CUjbfFj1SBQ@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: "Oda, Terri" <terri.oda@intel.com>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Feb 4, 2015 at 10:50 AM, Martin Thomson <martin.thomson@gmail.com>

> > [...] I'm in favor of allowing IPv4 addresses, [...]
> I certainly don't see a point of building a speculative feature for
> something like IoT without IPv6 support.  Doubly so if it's not clear
> how I-o-Things will be identified in practice.

Sorry, mine was not a clearly written email. My justification for allowing
IPv4 is not IoT in itself, but the fact that IPv4 is being used today, by
the internet-of-things-that-happen-to-be-webservers-in-datacenters. It's
not clear to me that whitelisting `` covers the things that people
are already doing, and without non-anecdotal data either way, I'd suggest
erring on the side of cautiously continuing to allow the things that
implementations allow today.


Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 4 February 2015 10:25:14 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC