Defenses against cross-zone CSRF (with and without DNS rebinding) should be tested

[GoogleCodeExporter]

Opera has it ("A page on the public Internet requests data from your private 
intranet. For security reasons, automatic access is blocked, but you may choose 
to continue."), even though I'm not sure about its resistance to DNS rebinding.

NoScript has it as a default ABE rule ("Site LOCAL Accept from LOCAL Deny"), 
and it is rebinding-proof.

Mozilla is working on something, 
https://bugzilla.mozilla.org/show_bug.cgi?id=354493

Original issue reported on code.google.com by giorgio....@gmail.com on 29 Oct 2010 at 8:42

[GoogleCodeExporter]

Original comment by els...@gmail.com on 30 Oct 2010 at 3:41

• Added labels: Security, Type-Enhancement
• Removed labels: Type-Defect