You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The CSP specification does not mention IP addresses as all.
Unlike IPv4, IPv6 addresses does not fit in the current host-part rule. Could you either specify that the CSP is not intended for IP addresses, or include IPv6 addresses in the specification?
This behavior is deliberately undefined and unsupported. In practice, meaningful construction of web applications relying on the security properties of web origins using IP addresses is just not done. I don't believe such are well supported by CORS, cross-origin messaging or other parts of the broad HTML5 spec set.
Mike West notes that we allow IPv4 but do not validate them in any way, would need to add brackets and colons to the valid http://www.w3.org/TR/CSP2/#host-part production rule to similarly accommodate IPv6 addresses.
The CSP specification does not mention IP addresses as all.
Unlike IPv4, IPv6 addresses does not fit in the current
host-part
rule. Could you either specify that the CSP is not intended for IP addresses, or include IPv6 addresses in the specification?The IPv6 format is described in https://tools.ietf.org/html/rfc4291#section-2.2
The text was updated successfully, but these errors were encountered: