letitz
commented
1 year ago @johnathan79717 is looking into specifying this.
Closed letitz closed 1 year ago
letitz
commented
1 year ago @johnathan79717 is looking into specifying this.
HTTPS prevents DNS rebinding, which is the only reason we apply PNA checks to same-origin fetches.
If a fetch is made from a potentially-trustworthy origin to itself, then an attacker could only be attacking themselves. If an attacker obtains a certificate for the victim origin, then it's too late for us to do anything about it.