Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

On Thu Jan 29 2015 at 6:48:54 PM Brian Smith <brian@briansmith.org> wrote:

> Joel Weinberger <jww@chromium.org> wrote:
> > Not to add too much fuel to the fire here, but what if, for cleanliness,
> the
> > spec did not allow *any* IP address, but did specify that user agents
> treat
> > a src of localhost as equivalent to 127.0.0.1 and ::1?
>
> Wouldn't it be better to not support IP address literals at all in
> WebAppSec standards, and also make whatever changes are necessary so
> that web developers can always use "localhost" instead of "127.0.0.1"
> or "::1" in all cases?
>
Yeah, that works for me, too :-)

>
> Cheers,
> Brian
>

Received on Thursday, 29 January 2015 17:50:48 UTC