W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

From: Brad Hill <hillbrad@gmail.com>
Date: Thu, 22 Jan 2015 06:56:21 +0000
Message-ID: <CAEeYn8jmipx7VnyO6WqjKJMoztnAvxe99NXbjKvbRVetwzUdLg@mail.gmail.com>
To: Mike West <mkwst@google.com>, Brian Smith <brian@briansmith.org>
Cc: Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Ah, good catch!  That reminds me: (why I think that is there) there are
some bugs with Chrome + CSP on iOS, because of the constraints that
platform puts on implementers of "new" browsers.  Stuff like the safe
browsing service there is done by making hidden calls to locally listening
websockets, but these hidden calls are subject to the page's CSP, so if you
don't whitelist localhost:* or 127.0.0.1:*, https pages end up triggering a
false positive on the malicious site check and get blocked.  :(

"localhost" does seem to work and should be safer.  But there are probably
a good number of sites working around this bug with "127.0.0.1:*".

On Wed Jan 21 2015 at 8:56:59 PM Mike West <mkwst@google.com> wrote:

> Hrm. I took a quick look at Facebook's CSP, and it whitelists script from
> `127.0.0.1:*` (for development, I hope?). :(
>
> Perhaps locking down IPv6 would be a safer place to start? I've done so at
> https://github.com/w3c/webappsec/commit/b52c77b82b14ec7b619708543f5f9507215548a7
> .
>
> -mike
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
> On Wed, Jan 21, 2015 at 7:06 PM, Brian Smith <brian@briansmith.org> wrote:
>
>> Mike West <mkwst@google.com> wrote:
>> > On Wed, Jan 21, 2015 at 1:33 PM, Anne van Kesteren <annevk@annevk.nl>
>> wrote:
>> >>
>> >> On Wed, Jan 21, 2015 at 1:21 PM, Mike West <mkwst@google.com> wrote:
>> >> > What seems ok? Reverting the addition of IPv6 grammar, or changing
>> our
>> >> > matching algorithms to match IPv6?
>> >>
>> >> It seems okay to me to not support IP address matching and require
>> >> domain names. If you do want to support it you'll have to make sure
>> >> that you normalize both sides (or parse both sides into a data model
>> >> you can compare).
>> >
>> > Any strong objections to changing the algorithm to always return "does
>> not
>> > match" when presented with an IP address?
>>
>> That is a very good idea.
>>
>> Cheers,
>> Brian
>>
>
>
Received on Thursday, 22 January 2015 06:56:49 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC