- From: Mike West <mkwst@google.com>
- Date: Wed, 11 Feb 2015 11:50:33 +0100
- To: Bjoern Hoehrmann <derhoermi@gmx.net>
- Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>
- Message-ID: <CAKXHy=eHM=jTnqS7CjaKtrkqoQJxBQAL0_E3zHJx2PVtU+SjDA@mail.gmail.com>
Hi Bjoern! On Wed, Feb 11, 2015 at 2:01 AM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote: > This seems rather unacceptable to me. For one thing the suggestion above > is that implementations do something other than what is now in the pro- > posal; there also does not seem an actual rationale, and Note that this isn't actually a change from the existing http://www.w3.org/TR/CSP/#source-list, which also doesn't support IP literals in the policy grammar. All we're doing is making the implicit behaviors explicit in the hopes of improving interoperability. > this seems to > make writing robust code a lot more difficult, even In what way? We currently don't define at all what to do when dealing with wierdly spelled IP addresses, and since the existing CSP spec also doesn't define the behavior, it's likely that implementations are already all over the map. I'd be shocked (pleasantly shocked, but shocked) if Firefox, IE12, Spartan, and Chrome all agreed on whether `http://0x10.0x10.0x10.0x10/` and `http://16.16.16.16/` match, or whether `http://1111111111/` and ` http://66.58.53.199/` match. If anything, this change should help implementations agree on a simple set of behaviors, making robust code more likely. :) > if you ignore that > apparently it is fine for implementations to do whatever they want when > they encounter IP literals. > Note that the spec change does in fact ignore that part of Brian's suggestion (sorry, Brian!). Practically, we'll need to add metrics to see how quickly we can drop support for non-`127.0.0.1` addresses since we've inadvertantly had them for ~2 years in the wild, but if we can drop them, we will. Blink will, at any rate. If the numbers are such that we can't drop them, then we'll have to add them to CSP3 (which, hopefully, will take significantly less than 2 years to publish :) ). -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 11 February 2015 10:51:21 UTC