Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

Joel Weinberger <jww@chromium.org> wrote:
> Not to add too much fuel to the fire here, but what if, for cleanliness, the
> spec did not allow *any* IP address, but did specify that user agents treat
> a src of localhost as equivalent to 127.0.0.1 and ::1?

Wouldn't it be better to not support IP address literals at all in
WebAppSec standards, and also make whatever changes are necessary so
that web developers can always use "localhost" instead of "127.0.0.1"
or "::1" in all cases?

Cheers,
Brian

Received on Thursday, 29 January 2015 17:49:19 UTC