W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

From: Mike West <mkwst@google.com>
Date: Wed, 28 Jan 2015 10:37:46 +0100
Message-ID: <CAKXHy=dG72QimQ3SU5ckEd8d9DGuQzZmcY+YCWhJto9rDjgX1Q@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Brad Hill <hillbrad@gmail.com>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jan 26, 2015 at 8:46 PM, Brian Smith <brian@briansmith.org> wrote:

> Brad Hill <hillbrad@gmail.com> wrote:
> > Public CAs are only to stop issuing for IP addresses in reserved ranges,
> I
> > believe. (10.0.0.0, 171.16.0.0, 192.168.0.0, 127.0.0.1)
>
> Yes, unfortunately, that does seem to be the case.
>
> I still think it is fine for CSP to restrict itself to 127.0.0.1 and ::1.
>

I think that's theoretically sound. It's not clear to me that we can
actually do it, since we've been accepting ip addresses for the last ~2
years. I'll add some metrics to Chrome to see if usage is widespread enough
to worry about, or whether we can tighten things up without too many
worries.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 28 January 2015 09:38:33 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC