W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CfC approved: CSP Level 2 to Candidate Recommendation

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Wed, 11 Feb 2015 02:01:06 +0100
To: Mike West <mkwst@google.com>
Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>
Message-ID: <lt9lda105t76iffotr1h2u7564m22hmic1@hive.bjoern.hoehrmann.de>
* Mike West wrote:
>On Tue, Feb 10, 2015 at 12:50 AM, Brad Hill <hillbrad@gmail.com> wrote:
>> We note the following issues of discussion and their resolution (including
>>  open objections):
>>
>> 1) IPv6 address syntax for source matching has been deferred to CSP Level
>> 3.  The lack of support for such does not prevent it being added in the
>> future in a compatible manner, but the group felt that lacking strong
>> interest and well-defined normalization routines for IPv6 at this time was
>> not sufficient cause to delay the advancement of CSP2.
>
>I think we deferred IPv4 as well (with the explicit exception of
>`127.0.0.1`), as per Brian's suggestions in
>https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0103.html,
>right? I landed
>https://github.com/w3c/webappsec/commit/c39f73a5fd93dd68de228a2e8914734c8e14a16c
>earlier this morning; I'll revert it if I misunderstood what we agreed upon.

This seems rather unacceptable to me. For one thing the suggestion above
is that implementations do something other than what is now in the pro-
posal; there also does not seem an actual rationale, and this seems to
make writing robust code a lot more difficult, even if you ignore that
apparently it is fine for implementations to do whatever they want when
they encounter IP literals.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de
 Available for hire in Berlin (early 2015)  · http://www.websitedev.de/ 
Received on Wednesday, 11 February 2015 01:01:36 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC