Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison) from Brian Smith on 2015-01-22 (public-webappsec@w3.org from January 2015)

From: Brian Smith <brian@briansmith.org>
Date: Thu, 22 Jan 2015 11:56:07 -0800
To: Mike West <mkwst@google.com>
Cc: Brad Hill <hillbrad@gmail.com>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAFewVt7J889FHBOXc6UawJdJCr5tYrux_QeAovxKK7wRCO-Kxg@mail.gmail.com>

Mike West <mkwst@google.com> wrote:
> Either way, it seems like something we're stuck with supporting. Skipping
> IPv6, however, seems pretty viable.

Do you need to support any IP address other than "127.0.0.1" and
"::1"? I'd suggest limiting support to just those two IP addresses,
and only those two notations, instead of all IP addresses.

Otherwise, in general, no new specification should specify support for
IPv4 without specifying IPv6 support. The IPv6 syntax isn't as
complicated as it initially looks. (source: I wrote a IPv6 address
parser for mozilla::pkix a couple of months ago.)

Similarly, nobody should be defining things that only work for http://
but not https://. Publicly-trusted CAs are not supposed to be issuing
certificates for IP addresses (IPv4 or IPv6) anymore, IIRC. This means
that https://<ip-address> should eventually stop working completely,
for the most part.

Cheers,
Brian

Received on Thursday, 22 January 2015 19:56:33 UTC