Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Are include_subdomains configurations allowed for raw IPs? #160

Closed
chlily1 opened this issue Jun 4, 2019 · 2 comments
Closed

Are include_subdomains configurations allowed for raw IPs? #160

chlily1 opened this issue Jun 4, 2019 · 2 comments
Labels
report-delivery Covers the core delivery of reports via HTTP

Comments

@chlily1
Copy link

chlily1 commented Jun 4, 2019

Should a raw IP address be allowed to set an include_subdomains endpoint group configuration? Numeric IP addresses don't really have "subdomains", so it's unclear what the semantics of that would be. How should such Report-To headers be handled? Should we reject the endpoint group, or just ignore the include_subdomains flag?
@dcreager
Copy link
Member

I think the right behavior is to ignore the include_subdomains flag — as you say, there isn't a domain in the origin to get the subdomains of! Raw IP requests would tend to be problematic in other ways, though — Reporting is only activated for validated HTTPS connections, so the server would have to be using a certificate that uses that raw IP address as the common name, if I'm reading all of the specs correctly. Which should be pretty rare. But still worth calling out what to do in this situation!

I'll add a quick clarifying note about this.

@dcreager dcreager added the report-delivery Covers the core delivery of reports via HTTP label Jun 26, 2019
@dcreager
Copy link
Member

This is related to #156. By fixing that algorithm to work on origins, instead of domains, we'll have a chance to explicitly clarify what should happen for raw IP address requests.

@dcreager dcreager mentioned this issue Jun 26, 2019
Closed
clelland added a commit that referenced this issue Oct 19, 2020
@clelland
Clean up subdomain match logic (#219)
c259a30 
Clean up subdomain match logic

Subdomain matching applies to domain names, but we were applying the
logic to origins.  Not all origins have domain names!  This cleans up
the text to make it more precise.  A nice side effect is that it's now
more well-defined what should happen e.g. to `include_subdomains`
policies for requests to a raw IP address.

(This was originally PR #163 by @dcreager)

Closes: #156 #160
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
report-delivery Covers the core delivery of reports via HTTP
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dcreager @clelland @chlily1