Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

On Wed, Feb 4, 2015 at 10:50 AM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> > [...] I'm in favor of allowing IPv4 addresses, [...]
>
> I certainly don't see a point of building a speculative feature for
> something like IoT without IPv6 support.  Doubly so if it's not clear
> how I-o-Things will be identified in practice.
>

Sorry, mine was not a clearly written email. My justification for allowing
IPv4 is not IoT in itself, but the fact that IPv4 is being used today, by
the internet-of-things-that-happen-to-be-webservers-in-datacenters. It's
not clear to me that whitelisting `127.0.0.1` covers the things that people
are already doing, and without non-anecdotal data either way, I'd suggest
erring on the side of cautiously continuing to allow the things that
implementations allow today.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Wednesday, 4 February 2015 10:25:14 UTC