- From: Brian Smith <brian@briansmith.org>
- Date: Wed, 28 Jan 2015 09:34:37 -0800
- To: Mike West <mkwst@google.com>
- Cc: Brad Hill <hillbrad@gmail.com>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Jan 28, 2015 at 1:37 AM, Mike West <mkwst@google.com> wrote: > On Mon, Jan 26, 2015 at 8:46 PM, Brian Smith <brian@briansmith.org> wrote: >> I still think it is fine for CSP to restrict itself to 127.0.0.1 and ::1. > > I think that's theoretically sound. It's not clear to me that we can > actually do it, since we've been accepting ip addresses for the last ~2 > years. I'll add some metrics to Chrome to see if usage is widespread enough > to worry about, or whether we can tighten things up without too many > worries. I want to clarify my initial suggestion: It is fine for the CSP *syntax* to restrict itself to 120.0.0.1 and ::1 as far as IP addresses is concerned, but CSP needs to be able to handle 'self' referring to any IP address, including in particular private addresses. Otherwise, there'd be no way for,a home router configuration interface that typically lives at http[s]:///192.168.0.1/ to use CSP. This nuance should be explicitly called out in the spec. Cheers, Brian
Received on Wednesday, 28 January 2015 17:35:04 UTC