Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison) from Brian Smith on 2015-01-21 (public-webappsec@w3.org from January 2015)

From: Brian Smith <brian@briansmith.org>
Date: Wed, 21 Jan 2015 10:06:00 -0800
To: Mike West <mkwst@google.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAFewVt4HqFvVT7YKrAPt7A6dRT49cy8EANP=_a7EDSBmfS_PCw@mail.gmail.com>

Mike West <mkwst@google.com> wrote:
> On Wed, Jan 21, 2015 at 1:33 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
>>
>> On Wed, Jan 21, 2015 at 1:21 PM, Mike West <mkwst@google.com> wrote:
>> > What seems ok? Reverting the addition of IPv6 grammar, or changing our
>> > matching algorithms to match IPv6?
>>
>> It seems okay to me to not support IP address matching and require
>> domain names. If you do want to support it you'll have to make sure
>> that you normalize both sides (or parse both sides into a data model
>> you can compare).
>
> Any strong objections to changing the algorithm to always return "does not
> match" when presented with an IP address?

That is a very good idea.

Cheers,
Brian

Received on Wednesday, 21 January 2015 18:06:27 UTC