Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

Hrm. I took a quick look at Facebook's CSP, and it whitelists script from
`127.0.0.1:*` (for development, I hope?). :(

Perhaps locking down IPv6 would be a safer place to start? I've done so at
https://github.com/w3c/webappsec/commit/b52c77b82b14ec7b619708543f5f9507215548a7
.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Wed, Jan 21, 2015 at 7:06 PM, Brian Smith <brian@briansmith.org> wrote:

> Mike West <mkwst@google.com> wrote:
> > On Wed, Jan 21, 2015 at 1:33 PM, Anne van Kesteren <annevk@annevk.nl>
> wrote:
> >>
> >> On Wed, Jan 21, 2015 at 1:21 PM, Mike West <mkwst@google.com> wrote:
> >> > What seems ok? Reverting the addition of IPv6 grammar, or changing our
> >> > matching algorithms to match IPv6?
> >>
> >> It seems okay to me to not support IP address matching and require
> >> domain names. If you do want to support it you'll have to make sure
> >> that you normalize both sides (or parse both sides into a data model
> >> you can compare).
> >
> > Any strong objections to changing the algorithm to always return "does
> not
> > match" when presented with an IP address?
>
> That is a very good idea.
>
> Cheers,
> Brian
>

Received on Thursday, 22 January 2015 04:54:44 UTC