- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 29 Jan 2015 12:18:45 +0100
- To: Mike West <mkwst@google.com>
- Cc: Joel Weinberger <jww@chromium.org>, Brian Smith <brian@briansmith.org>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Jan 29, 2015 at 12:10 PM, Mike West <mkwst@google.com> wrote: > We have a few options: > > 1. We can ignore the problem, and let `http://2/` fail to match `img-src > 0.0.0.2` and match `img-src 2`. > 2. We can normalize the URL, but not the source expression, and let > `http://2/` match `img-src 0.0.0.2', but fail to match `img-src 2`. > 3. We can normalize both, and let `http://2/` match both `img-src 0.0.0.2` > and `img-src 2`. > 4. We can throw away IP addresses entirely. > > I prefer either #4 or #1. :) Long term I prefer #3. I suspect we'll update the URL parser at least to perform normalization during parsing. Simply to be crystal clear about what network activity might take place without any spoofing risks. -- https://annevankesteren.nl/
Received on Thursday, 29 January 2015 11:19:10 UTC