W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

From: Brad Hill <hillbrad@gmail.com>
Date: Wed, 21 Jan 2015 17:57:56 +0000
Message-ID: <CAEeYn8jhj0Cjf=tLH+WyVHZoQjor_Uwwrtv1JfByr9ygfbqEvQ@mail.gmail.com>
To: Mike West <mkwst@google.com>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Hat = individual.

No strong objections.  I always was iffy about use of IP addresses.  There
have been some requests for it but I think given low overall adoption rates
of CSP thus far, and the even lower use of IP addresses on the general Web,
it's fine to put it in the "for future exploration if demand merits" bucket.

-Brad

On Wed Jan 21 2015 at 5:26:29 AM Mike West <mkwst@google.com> wrote:

> Forking for visibility.
>
> On Wed, Jan 21, 2015 at 1:33 PM, Anne van Kesteren <annevk@annevk.nl>
> wrote:
>
>> On Wed, Jan 21, 2015 at 1:21 PM, Mike West <mkwst@google.com> wrote:
>> > What seems ok? Reverting the addition of IPv6 grammar, or changing our
>> > matching algorithms to match IPv6?
>>
>> It seems okay to me to not support IP address matching and require
>> domain names. If you do want to support it you'll have to make sure
>> that you normalize both sides (or parse both sides into a data model
>> you can compare).
>
>
> Any strong objections to changing the algorithm to always return "does not
> match" when presented with an IP address?
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
Received on Wednesday, 21 January 2015 17:58:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC