Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison) from Brian Smith on 2015-01-29 (public-webappsec@w3.org from January 2015)

From: Brian Smith <brian@briansmith.org>
Date: Thu, 29 Jan 2015 09:48:52 -0800
To: Joel Weinberger <jww@chromium.org>
Cc: Mike West <mkwst@google.com>, Brad Hill <hillbrad@gmail.com>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAFewVt57dWO=M-eBR6-OcgL304gwaV+q9juHMo4U9c7hCVUH3g@mail.gmail.com>

Joel Weinberger <jww@chromium.org> wrote:
> Not to add too much fuel to the fire here, but what if, for cleanliness, the
> spec did not allow *any* IP address, but did specify that user agents treat
> a src of localhost as equivalent to 127.0.0.1 and ::1?

Wouldn't it be better to not support IP address literals at all in
WebAppSec standards, and also make whatever changes are necessary so
that web developers can always use "localhost" instead of "127.0.0.1"
or "::1" in all cases?

Cheers,
Brian

Received on Thursday, 29 January 2015 17:49:19 UTC