Anne van Kesteren wrote:
- Considerations around DNS rebinding.
Why would these be specific to XMLHttpRequest?
These indeed apply to just about any specification that uses a
same-origin policy. But that's not a justification for ignoring them
here. DNS rebinding has been both obvious and overlooked for some
10-15 years, so reminding reviewers and implementers of both the
security risk and the countermeasures would seem appropriate.
But you could e.g. do this kind of attack using <img> or <form> as well.
It seems this problem should be pointed out in the HTTP specification.
...
Is re-binding == spoofing? Does
<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.15.3> help,
or does nit need to be updated (Thomas; HTTPbis will gladly accept your
input ;-).
...
It does not define the policy. It just uses it.
It does not define what "same-origin" means.
That would be a bug in HTML5.
...
HTML5 defines when two origins are the same, but it's remarkably silent
about the so-called "same-origin policy". The information may be there,
but it#s not obvious where it is.
...
Best regards, Julian
