[whatwg] Limitations of IP addresses into the origin tuple

Adam Barth hk9565 at gmail.com
Wed Jan 9 14:35:06 PST 2008

The spec says:

"It's been suggested that we should put IP addresses into the origin
tuple, to mitigate DNS rebinding attacks. However that would kill
multi-homed systems like GMail. Should we do something like have a DNS
record say whether or not to include the IP in the origin for a host?"


Adding IP addresses to the origin tuple does not prevent DNS rebinding
attacks if any page on the target site embeds a script, style sheet,
other active content using a relative path.  Consider the following
example page:


<script src="lib.js"></script>

Suppose the attacker directs the user to
http://www.attacker.com/foo/baz.html, with www.attacker.com pointed to
the target's IP address,  The target serves the above
HTML, which runs in the origin (http, www.attacker.com, 80, and causes the user agent to request
http://www.attacker.com/foo/lib.js.  Now, the attacker rebinds
www.attacker.com to point to the attacker's IP address and serves
malicious JavaScript.  At this point, the attacker is running
malicious JavaScript in the origin that includes the target's IP
address and can proceed with the attack.

Adding IP address to the origin tuple both breaks existing web sites,
like Gmail, and is an ineffective defense against DNS rebinding.  We
recommend not adding IP address to the origin tuple.

Adam Barth and Collin Jackson

More information about the whatwg mailing list