W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

From: Mike West <mkwst@google.com>
Date: Thu, 22 Jan 2015 08:02:44 +0100
Message-ID: <CAKXHy=eijB4Nkb1DeoF8379fy8A48VBbKAosRtcQmt82UCFZBA@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: Brian Smith <brian@briansmith.org>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Jan 22, 2015 at 7:56 AM, Brad Hill <hillbrad@gmail.com> wrote:

> Ah, good catch!  That reminds me: (why I think that is there) there are
> some bugs with Chrome + CSP on iOS, because of the constraints that
> platform puts on implementers of "new" browsers.  Stuff like the safe
> browsing service there is done by making hidden calls to locally listening
> websockets, but these hidden calls are subject to the page's CSP, so if you
> don't whitelist localhost:* or*, https pages end up triggering
> a false positive on the malicious site check and get blocked.  :(
> "localhost" does seem to work and should be safer.  But there are probably
> a good number of sites working around this bug with "*".

That is a sad story. :(

I thought the Chrome on iOS folks were working around those issues by
injecting policy modifications in order to enable the local connections. Is
this just an issue for folks with old versions of the browser, or is it
still an issue in the latest stable?

Either way, it seems like something we're stuck with supporting. Skipping
IPv6, however, seems pretty viable.


Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 22 January 2015 07:03:31 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC