On Fri, Jul 22, 2011 at 9:47 AM, David Endicott
<dendicott(_at_)gmail(_dot_)com> wrote:
Actually....I wasn't talking about the Host: header - that is totally
spoofable...I was concerned about:
1. Browser client resolves example.com via old style DNS to x.x.x.x and
fetches HTTP
2. Received HTML starts JS which starts WS connection
3. WS resolves example.com via DNS SRV to y.y.y.y and opens
4. WS now has access outside origin.
Please note, I did not specify why DNS SRV resolved differently than old
style DNS - could be malicious, could be an simple mistake. I am
assuming the DNS SRV and old DNS might be answered from different servers.
You definitely could set it up such that the results from an SRV lookup
points to a different server than that resulting from a lookup of AAAA or A;
that's kind of the point. The SRV lookup is to a service within the
original domain, but the resulting looking up could have results outside it.
To go back to Dave Cridland's example, you can see that the result of the
SRV is another name requiring lookup.
;; ANSWER SECTION:
_xmpp-server._tcp.gmail.com. 26125 IN SRV 5 0 5269
xmpp-server.l.google.com.
_xmpp-server._tcp.gmail.com. 26125 IN SRV 20 0 5269
xmpp-server1.l.google.com.
_xmpp-server._tcp.gmail.com. 26125 IN SRV 20 0 5269
xmpp-server2.l.google.com.
_xmpp-server._tcp.gmail.com. 26125 IN SRV 20 0 5269
xmpp-server3.l.google.com.
_xmpp-server._tcp.gmail.com. 26125 IN SRV 20 0 5269
xmpp-server4.l.google.com.
You'd have to avoid the results triggering the antibodies to a cross-site
scripting attack in order to deploy this well, in my opinion.
regards,
Ted
Do browsers restrict origin / cross-site access based on name or on address?
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf