W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CfC approved: CSP Level 2 to Candidate Recommendation

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Wed, 11 Feb 2015 02:01:06 +0100
To: Mike West <mkwst@google.com>
Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>
Message-ID: <lt9lda105t76iffotr1h2u7564m22hmic1@hive.bjoern.hoehrmann.de>
* Mike West wrote:
>On Tue, Feb 10, 2015 at 12:50 AM, Brad Hill <hillbrad@gmail.com> wrote:
>> We note the following issues of discussion and their resolution (including
>>  open objections):
>> 1) IPv6 address syntax for source matching has been deferred to CSP Level
>> 3.  The lack of support for such does not prevent it being added in the
>> future in a compatible manner, but the group felt that lacking strong
>> interest and well-defined normalization routines for IPv6 at this time was
>> not sufficient cause to delay the advancement of CSP2.
>I think we deferred IPv4 as well (with the explicit exception of
>``), as per Brian's suggestions in
>right? I landed
>earlier this morning; I'll revert it if I misunderstood what we agreed upon.

This seems rather unacceptable to me. For one thing the suggestion above
is that implementations do something other than what is now in the pro-
posal; there also does not seem an actual rationale, and this seems to
make writing robust code a lot more difficult, even if you ignore that
apparently it is fine for implementations to do whatever they want when
they encounter IP literals.
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de
 Available for hire in Berlin (early 2015)  · http://www.websitedev.de/ 
Received on Wednesday, 11 February 2015 01:01:36 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC