W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

From: Mike West <mkwst@google.com>
Date: Wed, 4 Feb 2015 11:24:26 +0100
Message-ID: <CAKXHy=cKwvhMs6VhRb5RMBQP28b8Wgik2=AwDD1CUjbfFj1SBQ@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: "Oda, Terri" <terri.oda@intel.com>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Feb 4, 2015 at 10:50 AM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> > [...] I'm in favor of allowing IPv4 addresses, [...]
>
> I certainly don't see a point of building a speculative feature for
> something like IoT without IPv6 support.  Doubly so if it's not clear
> how I-o-Things will be identified in practice.
>

Sorry, mine was not a clearly written email. My justification for allowing
IPv4 is not IoT in itself, but the fact that IPv4 is being used today, by
the internet-of-things-that-happen-to-be-webservers-in-datacenters. It's
not clear to me that whitelisting `127.0.0.1` covers the things that people
are already doing, and without non-anecdotal data either way, I'd suggest
erring on the side of cautiously continuing to allow the things that
implementations allow today.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 4 February 2015 10:25:14 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC