W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

From: Mike West <mkwst@google.com>
Date: Wed, 21 Jan 2015 14:23:17 +0100
Message-ID: <CAKXHy=fiz57mJrsEvSrYAGw7qrXm8uzKQzEpUg3SsyRp8PyXgQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Forking for visibility.

On Wed, Jan 21, 2015 at 1:33 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, Jan 21, 2015 at 1:21 PM, Mike West <mkwst@google.com> wrote:
> > What seems ok? Reverting the addition of IPv6 grammar, or changing our
> > matching algorithms to match IPv6?
> It seems okay to me to not support IP address matching and require
> domain names. If you do want to support it you'll have to make sure
> that you normalize both sides (or parse both sides into a data model
> you can compare).

Any strong objections to changing the algorithm to always return "does not
match" when presented with an IP address?

Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 21 January 2015 13:24:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC