W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

From: Brian Smith <brian@briansmith.org>
Date: Thu, 29 Jan 2015 09:48:52 -0800
Message-ID: <CAFewVt57dWO=M-eBR6-OcgL304gwaV+q9juHMo4U9c7hCVUH3g@mail.gmail.com>
To: Joel Weinberger <jww@chromium.org>
Cc: Mike West <mkwst@google.com>, Brad Hill <hillbrad@gmail.com>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Joel Weinberger <jww@chromium.org> wrote:
> Not to add too much fuel to the fire here, but what if, for cleanliness, the
> spec did not allow *any* IP address, but did specify that user agents treat
> a src of localhost as equivalent to and ::1?

Wouldn't it be better to not support IP address literals at all in
WebAppSec standards, and also make whatever changes are necessary so
that web developers can always use "localhost" instead of ""
or "::1" in all cases?

Received on Thursday, 29 January 2015 17:49:19 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:45 UTC