Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

On Wed, Jan 28, 2015 at 6:34 PM, Brian Smith <brian@briansmith.org> wrote:

> I want to clarify my initial suggestion: It is fine for the CSP
> *syntax* to restrict itself to 120.0.0.1 and ::1 as far as IP
> addresses is concerned, but CSP needs to be able to handle 'self'
> referring to any IP address, including in particular private
> addresses. Otherwise, there'd be no way for,a home router
> configuration interface that typically lives at
> http[s]:///192.168.0.1/ to use CSP. This nuance should be explicitly
> called out in the spec.
>

Yes, that nuance is important. I've made a note in
https://github.com/w3c/webappsec/commit/aba91ac272ce02a8948aeeab6bca1d9aa109d990
which hopefully clarifies the intent.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Thursday, 29 January 2015 08:46:44 UTC