W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

From: Brian Smith <brian@briansmith.org>
Date: Wed, 28 Jan 2015 09:34:37 -0800
Message-ID: <CAFewVt7Y616d+WSh3rFQJKADRiH2zTzgC=TCh0+CzphDX7xOCg@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Brad Hill <hillbrad@gmail.com>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Jan 28, 2015 at 1:37 AM, Mike West <mkwst@google.com> wrote:
> On Mon, Jan 26, 2015 at 8:46 PM, Brian Smith <brian@briansmith.org> wrote:
>> I still think it is fine for CSP to restrict itself to 127.0.0.1 and ::1.
>
> I think that's theoretically sound. It's not clear to me that we can
> actually do it, since we've been accepting ip addresses for the last ~2
> years. I'll add some metrics to Chrome to see if usage is widespread enough
> to worry about, or whether we can tighten things up without too many
> worries.

I want to clarify my initial suggestion: It is fine for the CSP
*syntax* to restrict itself to 120.0.0.1 and ::1 as far as IP
addresses is concerned, but CSP needs to be able to handle 'self'
referring to any IP address, including in particular private
addresses. Otherwise, there'd be no way for,a home router
configuration interface that typically lives at
http[s]:///192.168.0.1/ to use CSP. This nuance should be explicitly
called out in the spec.

Cheers,
Brian
Received on Wednesday, 28 January 2015 17:35:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC