W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

From: Mike West <mkwst@google.com>
Date: Thu, 29 Jan 2015 12:10:10 +0100
Message-ID: <CAKXHy=foFeX0z6sP-RhfJMXtaUE-kqg5_qvOgEwqrpEgDD-yUA@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Joel Weinberger <jww@chromium.org>, Brian Smith <brian@briansmith.org>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Jan 29, 2015 at 11:23 AM, Anne van Kesteren <annevk@annevk.nl>
wrote:

> On Thu, Jan 29, 2015 at 11:18 AM, Mike West <mkwst@google.com> wrote:
> > The only piece that isn't defined is IPv6 matching. We define IP address
> > matching, it just doesn't make sense when wildcards come in. :)
>
> Do
>
>   http://2/
>
> and
>
>   http://0.0.0.2/
>
> match?
>
> Do
>
>   http://0.00.0.2/
>
> and
>
>   http://00.0.0.2/
>
> match?
>
> From my reading of the text neither worked.


You're right. These don't work.

We have a few options:

1. We can ignore the problem, and let `http://2/` fail to match `img-src
0.0.0.2` and match `img-src 2`.
2. We can normalize the URL, but not the source expression, and let `
http://2/` match `img-src 0.0.0.2', but fail to match `img-src 2`.
3. We can normalize both, and let `http://2/` match both `img-src 0.0.0.2`
and `img-src 2`.
4. We can throw away IP addresses entirely.

I prefer either #4 or #1. :)

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 29 January 2015 11:10:57 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC