Hrm. I took a quick look at Facebook's CSP, and it whitelists script from `127.0.0.1:*` (for development, I hope?). :( Perhaps locking down IPv6 would be a safer place to start? I've done so at https://github.com/w3c/webappsec/commit/b52c77b82b14ec7b619708543f5f9507215548a7 . -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Wed, Jan 21, 2015 at 7:06 PM, Brian Smith <brian@briansmith.org> wrote: > Mike West <mkwst@google.com> wrote: > > On Wed, Jan 21, 2015 at 1:33 PM, Anne van Kesteren <annevk@annevk.nl> > wrote: > >> > >> On Wed, Jan 21, 2015 at 1:21 PM, Mike West <mkwst@google.com> wrote: > >> > What seems ok? Reverting the addition of IPv6 grammar, or changing our > >> > matching algorithms to match IPv6? > >> > >> It seems okay to me to not support IP address matching and require > >> domain names. If you do want to support it you'll have to make sure > >> that you normalize both sides (or parse both sides into a data model > >> you can compare). > > > > Any strong objections to changing the algorithm to always return "does > not > > match" when presented with an IP address? > > That is a very good idea. > > Cheers, > Brian >
Received on Thursday, 22 January 2015 04:54:44 UTC