Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

On Thu, Jan 29, 2015 at 12:10 PM, Mike West <mkwst@google.com> wrote:
> We have a few options:
>
> 1. We can ignore the problem, and let `http://2/` fail to match `img-src
> 0.0.0.2` and match `img-src 2`.
> 2. We can normalize the URL, but not the source expression, and let
> `http://2/` match `img-src 0.0.0.2', but fail to match `img-src 2`.
> 3. We can normalize both, and let `http://2/` match both `img-src 0.0.0.2`
> and `img-src 2`.
> 4. We can throw away IP addresses entirely.
>
> I prefer either #4 or #1. :)

Long term I prefer #3. I suspect we'll update the URL parser at least
to perform normalization during parsing. Simply to be crystal clear
about what network activity might take place without any spoofing
risks.


-- 
https://annevankesteren.nl/

Received on Thursday, 29 January 2015 11:19:10 UTC