W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

From: Joel Weinberger <jww@chromium.org>
Date: Thu, 29 Jan 2015 12:13:35 +0000
Message-ID: <CAHQV2K=Vyy=o7LhEY=0M=oqcmqXjTrm1yfVvvoL4EcNS3jGZiw@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>, Mike West <mkwst@google.com>
Cc: Brian Smith <brian@briansmith.org>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Like Mike, I prefer #4 or #1. If we allow IP addresses, I have no problem
telling developers "be consistent in how you represent your addresses".

On Thu Jan 29 2015 at 12:18:48 PM Anne van Kesteren <annevk@annevk.nl>
wrote:

> On Thu, Jan 29, 2015 at 12:10 PM, Mike West <mkwst@google.com> wrote:
> > We have a few options:
> >
> > 1. We can ignore the problem, and let `http://2/` <http://2/> fail to
> match `img-src
> > 0.0.0.2` and match `img-src 2`.
> > 2. We can normalize the URL, but not the source expression, and let
> > `http://2/` <http://2/> match `img-src 0.0.0.2', but fail to match
> `img-src 2`.
> > 3. We can normalize both, and let `http://2/` <http://2/> match both
> `img-src 0.0.0.2`
> > and `img-src 2`.
> > 4. We can throw away IP addresses entirely.
> >
> > I prefer either #4 or #1. :)
>
> Long term I prefer #3. I suspect we'll update the URL parser at least
> to perform normalization during parsing. Simply to be crystal clear
> about what network activity might take place without any spoofing
> risks.
>
>
> --
> https://annevankesteren.nl/
>
Received on Thursday, 29 January 2015 12:14:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC