W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

From: Mike West <mkwst@google.com>
Date: Thu, 5 Feb 2015 08:29:44 +0100
Message-ID: <CAKXHy=f0kFNGdUeAf9fuSb30ucc9cGB3UBtkFY=hVNHw6N0uPw@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: "Oda, Terri" <terri.oda@intel.com>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Feb 5, 2015 at 12:15 AM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 4 February 2015 at 21:24, Mike West <mkwst@google.com> wrote:
> > My justification for allowing IPv4 is not IoT in itself, but the fact
> that
> > IPv4 is being used today, by the
> > internet-of-things-that-happen-to-be-webservers-in-datacenters.
>
> Can you explain how those iotthtbwid devices might benefit from CSP?
> I don't want to be obtuse, but I'm not seeing a case there.
>

I'm just thinking of normal websites that load data from servers via IP
addresses rather than named hosts. I don't think that's something we
particularly want to encourage, but neither is it something that I'd be
surprised to see substantial numbers of sites doing today.

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 5 February 2015 07:30:33 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC