On Tue, Feb 9, 2010 at 5:48 AM, Maciej Stachowiak <mjs@apple.com> wrote: > If HTTP had a requirement to check the Host header and all servers followed it, then the risk of DNS rebinding attacks would be eliminated for conforming servers. Meanwhile clients can only implement mitigation strategies that are only partially effective or inordinately complex or both. And client-side protections can risk breaking completely valid DNS round-robin load balancing setups. I can see this as a SHOULD, but not as a MUST as I'm not a fan of httpbis making such fundamental changes. Enforcing this as a MUST would certainly break most httpd configs that rely upon virtual hosting in odd ways - so I'm not even sure httpd would make this the default, but rather opt-in at best. -- justinReceived on Tuesday, 9 February 2010 18:29:01 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:16 GMT