[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] Add resolve-relative-reference in (web uri), as in RFC 3986
|
From: |
Vivien Kraus |
|
Subject: |
Re: [PATCH] Add resolve-relative-reference in (web uri), as in RFC 3986 5.2. |
|
Date: |
Wed, 04 Oct 2023 07:29:43 +0200 |
|
User-agent: |
Evolution 3.46.4 |
Le mercredi 04 octobre 2023 à 00:30 +0200, Maxime Devos a écrit :
>
> > The best prevention is not allowing redirects at all or only
> > allowing redirections that keep the hostname intact -- while
> > an
> > option for much software, it isn't an option for web
> > browsers.
>
> Partially scratch that -- restricting to ‘keeping hostname intact’ is
> insufficient, because there could be a DNS record that points
> 'website
> via http' to 127.0.0.1, and hence a redirect from https://website -->
> http://website can change IP addresses from global Internet to local
> computer.
But then, it is not a problem with resolve-relative-reference, and not
even a risk with redirections; if the DNS changes before you query the
page, then the secret page leaks anyway, no redirection needed.
We could add a warning in the "http-request" method documentation,
like:
Be warned that if you are hosting a private HTTP(s) server on your
system, a DNS change for a public target URI to your internal IP
address, or following a redirection from a public target URI to your
private server, may lead you to consider the response originating from
your private server as public.
Would that be a good summary?
Vivien