W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

From: Joel Weinberger <jww@chromium.org>
Date: Thu, 29 Jan 2015 17:50:20 +0000
Message-ID: <CAHQV2KmZ7vkxxnGWR8dHFTkJRtOiNcojUXJFYyqM2uifTY3pvg@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Mike West <mkwst@google.com>, Brad Hill <hillbrad@gmail.com>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu Jan 29 2015 at 6:48:54 PM Brian Smith <brian@briansmith.org> wrote:

> Joel Weinberger <jww@chromium.org> wrote:
> > Not to add too much fuel to the fire here, but what if, for cleanliness,
> the
> > spec did not allow *any* IP address, but did specify that user agents
> treat
> > a src of localhost as equivalent to 127.0.0.1 and ::1?
>
> Wouldn't it be better to not support IP address literals at all in
> WebAppSec standards, and also make whatever changes are necessary so
> that web developers can always use "localhost" instead of "127.0.0.1"
> or "::1" in all cases?
>
Yeah, that works for me, too :-)

>
> Cheers,
> Brian
>
Received on Thursday, 29 January 2015 17:50:48 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC