[whatwg/fetch] Checking host header to prevent DNS rebinding (#1043) from Maximilian Tagher on 2020-06-26 (public-webapps-github@w3.org from June 2020)

From: Maximilian Tagher <notifications@github.com>
Date: Fri, 26 Jun 2020 09:43:00 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1043@github.com>

A previous version of this document https://www.w3.org/TR/2020/SPSD-cors-20200602/ recommended checking the Host header to prevent DNS rebinding attacks:

> In addition to checking the Origin header, resource authors are strongly encouraged to also check the Host header. That is, make sure that the host name provided by that header matches the host name of the server on which the resource resides. This will provide protection against DNS rebinding attacks.

The current version, as far as I can tell, doesn't mention this. If I git bisected correctly, this was the commit that removed that recommendation (waaaaay back in 2013: https://github.com/whatwg/fetch/commit/adec3d2bf35726b46dd6c0079ff01dba8e154711). 

Is checking the Host header no longer recommended? Not sure if deleting that recommendation was because it's no longer recommended, or just felt out of scope for what the document was about or something.

Thanks!
Max

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1043

Received on Friday, 26 June 2020 16:43:12 UTC