Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison) from Joel Weinberger on 2015-01-29 (public-webappsec@w3.org from January 2015)

From: Joel Weinberger <jww@chromium.org>
Date: Thu, 29 Jan 2015 17:50:20 +0000
To: Brian Smith <brian@briansmith.org>
Cc: Mike West <mkwst@google.com>, Brad Hill <hillbrad@gmail.com>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAHQV2KmZ7vkxxnGWR8dHFTkJRtOiNcojUXJFYyqM2uifTY3pvg@mail.gmail.com>

On Thu Jan 29 2015 at 6:48:54 PM Brian Smith <brian@briansmith.org> wrote:

> Joel Weinberger <jww@chromium.org> wrote:
> > Not to add too much fuel to the fire here, but what if, for cleanliness,
> the
> > spec did not allow *any* IP address, but did specify that user agents
> treat
> > a src of localhost as equivalent to 127.0.0.1 and ::1?
>
> Wouldn't it be better to not support IP address literals at all in
> WebAppSec standards, and also make whatever changes are necessary so
> that web developers can always use "localhost" instead of "127.0.0.1"
> or "::1" in all cases?
>
Yeah, that works for me, too :-)

>
> Cheers,
> Brian
>

Received on Thursday, 29 January 2015 17:50:48 UTC