specifying a hostname in the user consent prompt is useless without DNS rebinding protection

[thejh]

The security considerations section says that user consent would be host-specific, but also that DNS rebinding protection would be limited to preventing connections to "private network addresses". There are two big problems with this:

• If the DNS rebinding protection is only against rebinding to private IPs, you'd effectively grant permission to connect to any non-private IP at a specific port; the host component of the user consent is more or less useless. Perhaps this part could be improved a bit by requiring that the reverse DNS of the IP address matches the original hostname or so.
• In IPv6, it is perfectly normal to have publicly routable IP addresses inside home networks and such. Filtering simply by a fixed list of private address blocks is useless for preventing connections to the local network.

[eligrey]

Can reverse DNS PTR records be spoofed per-request?

[kg]

Can reverse DNS PTR records be spoofed per-request?

There are existing attacks that deanonymize users by watching for dns resolves of special case subdomains, and in those cases (where they aren't cached) the dns server could dynamically pick the response. This would possibly allow forging rdns. Ensuring the rdns isn't cached for an ipv4 address seems unrealistic, but I could see it working for ipv6.