W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CfC approved: CSP Level 2 to Candidate Recommendation

From: Mike West <mkwst@google.com>
Date: Wed, 11 Feb 2015 11:50:33 +0100
Message-ID: <CAKXHy=eHM=jTnqS7CjaKtrkqoQJxBQAL0_E3zHJx2PVtU+SjDA@mail.gmail.com>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>
Hi Bjoern!

On Wed, Feb 11, 2015 at 2:01 AM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:

> This seems rather unacceptable to me. For one thing the suggestion above
> is that implementations do something other than what is now in the pro-
> posal; there also does not seem an actual rationale, and


Note that this isn't actually a change from the existing
http://www.w3.org/TR/CSP/#source-list, which also doesn't support IP
literals in the policy grammar. All we're doing is making the implicit
behaviors explicit in the hopes of improving interoperability.


> this seems to
> make writing robust code a lot more difficult, even


In what way? We currently don't define at all what to do when dealing with
wierdly spelled IP addresses, and since the existing CSP spec also doesn't
define the behavior, it's likely that implementations are already all over
the map. I'd be shocked (pleasantly shocked, but shocked) if Firefox, IE12,
Spartan, and Chrome all agreed on whether `http://0x10.0x10.0x10.0x10/` and
`http://16.16.16.16/` match, or whether `http://1111111111/` and `
http://66.58.53.199/` match.

If anything, this change should help implementations agree on a simple set
of behaviors, making robust code more likely. :)


> if you ignore that
> apparently it is fine for implementations to do whatever they want when
> they encounter IP literals.
>

Note that the spec change does in fact ignore that part of Brian's
suggestion (sorry, Brian!). Practically, we'll need to add metrics to see
how quickly we can drop support for non-`127.0.0.1` addresses since we've
inadvertantly had them for ~2 years in the wild, but if we can drop them,
we will. Blink will, at any rate. If the numbers are such that we can't
drop them, then we'll have to add them to CSP3 (which, hopefully, will take
significantly less than 2 years to publish :) ).

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 11 February 2015 10:51:21 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC