Closed 0x11-dev closed 2 years ago
https://wicg.github.io/private-network-access/#dns-rebinding explains why the proposal is written the way it is. I don't think we'd be able to defend against DNS rebinding attacks if we didn't treat these transitions between public and private address spaces as crossing the network boundary this proposal aims to create.
Attacker can bypass it by sending fake response after DNS rebinding attack happened. It will not works as expected.
That's true!
There is a moderate amount of protection against this in the form of the request's target_ip_address_space
. This ensures that the attacker cannot use such a trampoline to attack localhost, though they can totally pivot to attacking 192.168.1.1 after responding from 192.168.1.199.
In general, this is not a perfect solution and in full generality we cannot guarantee that we are talking to the same server without HTTPS.
In any case, if the attacker already has a server running on 192.168.1.199, they probably can wreak much more havoc than attacking internal websites through the user's browser. Sure, the browser has cookies, but the server can send arbitrary bits to any network endpoint within its reach.
Closing, there has not been much activity.
Chromium block same origin fetch that don't process the preflight request. This behavior have not been addressed out in the RFC.
We should not break current same origin behavior for backward compatibility. Or will bring so much work to the developer, and break website without been noticed.
I have also filed a bug report to Chromium project https://bugs.chromium.org/p/chromium/issues/detail?id=1299676 .