W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

From: Joel Weinberger <jww@chromium.org>
Date: Thu, 29 Jan 2015 09:42:22 +0000
Message-ID: <CAHQV2K=4JK869uUFzYibbF9Yc+1ukyLOk31SH-bpgUm2q6=XyA@mail.gmail.com>
To: Mike West <mkwst@google.com>, Brian Smith <brian@briansmith.org>
Cc: Brad Hill <hillbrad@gmail.com>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Not to add too much fuel to the fire here, but what if, for cleanliness,
the spec did not allow *any* IP address, but did specify that user agents
treat a src of localhost as equivalent to and ::1?

On Thu Jan 29 2015 at 9:49:10 AM Mike West <mkwst@google.com> wrote:

> On Wed, Jan 28, 2015 at 6:34 PM, Brian Smith <brian@briansmith.org> wrote:
>> I want to clarify my initial suggestion: It is fine for the CSP
>> *syntax* to restrict itself to and ::1 as far as IP
>> addresses is concerned, but CSP needs to be able to handle 'self'
>> referring to any IP address, including in particular private
>> addresses. Otherwise, there'd be no way for,a home router
>> configuration interface that typically lives at
>> http[s]:/// to use CSP. This nuance should be explicitly
>> called out in the spec.
> Yes, that nuance is important. I've made a note in
> https://github.com/w3c/webappsec/commit/aba91ac272ce02a8948aeeab6bca1d9aa109d990
> which hopefully clarifies the intent.
> -mike
> --
> Mike West <mkwst@google.com>, @mikewest
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 29 January 2015 09:42:50 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:45 UTC