t-artistik / browserscope

Automatically exported from code.google.com/p/browserscope
Apache License 2.0
0 stars 0 forks source link

Defenses against cross-zone CSRF (with and without DNS rebinding) should be tested #273

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Opera has it ("A page on the public Internet requests data from your private 
intranet. For security reasons, automatic access is blocked, but you may choose 
to continue."), even though I'm not sure about its resistance to DNS rebinding.

NoScript has it as a default ABE rule ("Site LOCAL Accept from LOCAL Deny"), 
and it is rebinding-proof.

Mozilla is working on something, 
https://bugzilla.mozilla.org/show_bug.cgi?id=354493

Original issue reported on code.google.com by giorgio....@gmail.com on 29 Oct 2010 at 8:42

GoogleCodeExporter commented 9 years ago

Original comment by els...@gmail.com on 30 Oct 2010 at 3:41