- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Wed, 11 Feb 2015 02:01:06 +0100
- To: Mike West <mkwst@google.com>
- Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>
* Mike West wrote: >On Tue, Feb 10, 2015 at 12:50 AM, Brad Hill <hillbrad@gmail.com> wrote: >> We note the following issues of discussion and their resolution (including >> open objections): >> >> 1) IPv6 address syntax for source matching has been deferred to CSP Level >> 3. The lack of support for such does not prevent it being added in the >> future in a compatible manner, but the group felt that lacking strong >> interest and well-defined normalization routines for IPv6 at this time was >> not sufficient cause to delay the advancement of CSP2. > >I think we deferred IPv4 as well (with the explicit exception of >`127.0.0.1`), as per Brian's suggestions in >https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0103.html, >right? I landed >https://github.com/w3c/webappsec/commit/c39f73a5fd93dd68de228a2e8914734c8e14a16c >earlier this morning; I'll revert it if I misunderstood what we agreed upon. This seems rather unacceptable to me. For one thing the suggestion above is that implementations do something other than what is now in the pro- posal; there also does not seem an actual rationale, and this seems to make writing robust code a lot more difficult, even if you ignore that apparently it is fine for implementations to do whatever they want when they encounter IP literals. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de Available for hire in Berlin (early 2015) · http://www.websitedev.de/
Received on Wednesday, 11 February 2015 01:01:36 UTC