CSP: host-part does not account for IPv6 addresses #49
Comments
|
This behavior is deliberately undefined and unsupported. In practice, meaningful construction of web applications relying on the security properties of web origins using IP addresses is just not done. I don't believe such are well supported by CORS, cross-origin messaging or other parts of the broad HTML5 spec set. |
|
Mike West notes that we allow IPv4 but do not validate them in any way, would need to add brackets and colons to the valid http://www.w3.org/TR/CSP2/#host-part production rule to similarly accommodate IPv6 addresses. |
mozfreddyb
pushed a commit
to mozfreddyb/webappsec
that referenced
this issue
Nov 3, 2014
Closes issue w3c#49.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The CSP specification does not mention IP addresses as all.
Unlike IPv4, IPv6 addresses does not fit in the current
host-partrule. Could you either specify that the CSP is not intended for IP addresses, or include IPv6 addresses in the specification?The IPv6 format is described in https://tools.ietf.org/html/rfc4291#section-2.2
The text was updated successfully, but these errors were encountered: