HTTPS prevents DNS rebinding, which is the only reason we apply PNA checks to same-origin fetches.
If a fetch is made from a potentially-trustworthy origin to itself, then an attacker could only be attacking themselves. If an attacker obtains a certificate for the victim origin, then it's too late for us to do anything about it.
HTTPS prevents DNS rebinding, which is the only reason we apply PNA checks to same-origin fetches.
If a fetch is made from a potentially-trustworthy origin to itself, then an attacker could only be attacking themselves. If an attacker obtains a certificate for the victim origin, then it's too late for us to do anything about it.