W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 6 Feb 2015 08:27:00 +1100
Message-ID: <CABkgnnXVCy89KOHDVePfwxHJKj=FScnNu18-70n31SOOEMqU1w@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>, "Oda, Terri" <terri.oda@intel.com>
On Feb 5, 2015 6:30 PM, "Mike West" <mkwst@google.com> wrote:
>
>> Can you explain how those iotthtbwid devices might benefit from CSP?
>> I don't want to be obtuse, but I'm not seeing a case there.
>
>
> I'm just thinking of normal websites that load data from servers via IP
addresses rather than named hosts. I don't think that's something we
particularly want to encourage, but neither is it something that I'd be
surprised to see substantial numbers of sites doing today.

Those won't be serving over https. Ask yourself how far out of your way you
want to go to support those servers. :)

The issue with lack of names for sensor networks and other such things is
something that I'm more sympathetic to, but  it's not clear to me that the
use case is anything other than speculative at this point.
Received on Thursday, 5 February 2015 21:27:32 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC