- From: Justin Erenkrantz <justin@erenkrantz.com>
- Date: Tue, 9 Feb 2010 10:21:17 -0800
- To: Maciej Stachowiak <mjs@apple.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Tue, Feb 9, 2010 at 5:48 AM, Maciej Stachowiak <mjs@apple.com> wrote: > If HTTP had a requirement to check the Host header and all servers followed it, then the risk of DNS rebinding attacks would be eliminated for conforming servers. Meanwhile clients can only implement mitigation strategies that are only partially effective or inordinately complex or both. And client-side protections can risk breaking completely valid DNS round-robin load balancing setups. I can see this as a SHOULD, but not as a MUST as I'm not a fan of httpbis making such fundamental changes. Enforcing this as a MUST would certainly break most httpd configs that rely upon virtual hosting in odd ways - so I'm not even sure httpd would make this the default, but rather opt-in at best. -- justin
Received on Tuesday, 9 February 2010 18:29:01 UTC