|
From: | Maxime Devos |
Subject: | Re: [PATCH] Add resolve-relative-reference in (web uri), as in RFC 3986 5.2. |
Date: | Wed, 4 Oct 2023 00:30:05 +0200 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 |
The best prevention is not allowing redirects at all or only allowing redirections that keep the hostname intact -- while an option for much software, it isn't an option for web browsers.
Partially scratch that -- restricting to ‘keeping hostname intact’ is insufficient, because there could be a DNS record that points 'website via http' to 127.0.0.1, and hence a redirect from https://website --> http://website can change IP addresses from global Internet to local computer.
Best regards, Maxime Devos.
OpenPGP_0x49E3EE22191725EE.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
[Prev in Thread] | Current Thread | [Next in Thread] |