W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

From: Brian Smith <brian@briansmith.org>
Date: Thu, 22 Jan 2015 11:56:07 -0800
Message-ID: <CAFewVt7J889FHBOXc6UawJdJCr5tYrux_QeAovxKK7wRCO-Kxg@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Brad Hill <hillbrad@gmail.com>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Mike West <mkwst@google.com> wrote:
> Either way, it seems like something we're stuck with supporting. Skipping
> IPv6, however, seems pretty viable.

Do you need to support any IP address other than "127.0.0.1" and
"::1"? I'd suggest limiting support to just those two IP addresses,
and only those two notations, instead of all IP addresses.

Otherwise, in general, no new specification should specify support for
IPv4 without specifying IPv6 support. The IPv6 syntax isn't as
complicated as it initially looks. (source: I wrote a IPv6 address
parser for mozilla::pkix a couple of months ago.)

Similarly, nobody should be defining things that only work for http://
but not https://. Publicly-trusted CAs are not supposed to be issuing
certificates for IP addresses (IPv4 or IPv6) anymore, IIRC. This means
that https://<ip-address> should eventually stop working completely,
for the most part.

Cheers,
Brian
Received on Thursday, 22 January 2015 19:56:33 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC