W3C home > Mailing lists > Public > public-web-security@w3.org > February 2010

Re: [XHR] XMLHttpRequest specification lacks security considerations

From: Maciej Stachowiak <mjs@apple.com>
Date: Tue, 09 Feb 2010 11:50:40 -0800
Cc: Julian Reschke <julian.reschke@gmx.de>, Anne van Kesteren <annevk@opera.com>, Thomas Roessler <tlr@w3.org>, W3C WebApps WG <public-webapps@w3.org>, public-web-security@w3.org
Message-id: <593913B6-5274-49FF-B86C-156312378D38@apple.com>
To: Aryeh Gregor <Simetrical+w3c@gmail.com>

On Feb 9, 2010, at 11:46 AM, Aryeh Gregor wrote:

> On Tue, Feb 9, 2010 at 7:13 AM, Maciej Stachowiak <mjs@apple.com> wrote:
>> HTTPbis should address this threat in the security considerations section, and should strongly consider making it a MUST-level requirement for servers to check that the Host header is a host they serve. If HTTP had that requirement and all servers followed it, then the risk of DNS rebinding attacks would be eliminated.
> 
> Servers don't always know what domains they're expected to serve -- if
> I sudo apt-get install lighttpd and already have a domain name
> pointing to the server, I expect that domain name to work with no
> additional configuration.  And this is how all the web servers I've
> used actually work.  So, I imagine this requirement is infeasible.

A sever can generally determine the domain name of the host it is running on from the operating system, if it wants to run with zero configuration. That is apparently what Apache does:

http://httpd.apache.org/docs/1.3/mod/core.html#servername

Regards,
Maciej
Received on Tuesday, 9 February 2010 19:51:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:02 GMT