Skip to content

Commit

Permalink
Add some extra detail about allowing external network connections.
Browse files Browse the repository at this point in the history
This doesn't add normative requirements, but encourages implementors to ship with secure
defaults, whilst mentioning that there are real-world use cases which require remote ends
to accept connections coming from somewhere other than localhost.
  • Loading branch information
jgraham committed Mar 18, 2022
1 parent a75942e commit b3adb90
Showing 1 changed file with 20 additions and 17 deletions.
37 changes: 20 additions & 17 deletions index.html
Original file line number Diff line number Diff line change
Expand Up @@ -465,11 +465,14 @@ <h3>Processing model</h3>
<p>Then <a>send an error</a> with <a>error code</a> <a>unknown
error</a>, and jump to step 1.</p>

<p class=note>Rejecting connections with unexpected values in the
<a>Host header</a> prevents DNS rebinding attacks. Implementations can opt
to provide more stringent controls where appropriate, for example
only accepting connections when the <var>host</var> value
corresponds to a loopback interface [[RFC5735]].</p></li>
<p class="note">Rejecting connections with unexpected values in the
<a>Host header</a> prevents DNS rebinding attacks. Implementations
can opt to provide more stringent controls where appropriate, for
example only accepting connections when the <var>host</var> value
corresponds to a loopback interface [[RFC5735]]. Further guidance
for implementors is given in the <a href="#security">security</a>
section.</p>
</li>

<li><p>If <var>origin</var> is not undefined and is not identical to
an <a>Origin header</a> value that the implementation has been
Expand Down Expand Up @@ -10494,18 +10497,18 @@ <h2>Security</h2>
and that WebDriver remains disabled
in publicly consumed versions of the user agent.

<p>To prevent arbitrary machines on the network
from connecting and creating <a>sessions</a>,
it is suggested that only connections from
loopback devices are allowed by default.

<p>The <a>remote end</a> can include
a configuration option to limit
the accepted IP range allowed to connect and make requests.
The default setting for this might be
to limit connections to the IPv4 localhost
CIDR range <code>127.0.0.0/8</code>
and the IPv6 localhost address <code>::1</code>. [[RFC4632]]
<p>To prevent arbitrary machines on the network from connecting and
creating <a>sessions</a>, it is suggested that only connections from
loopback devices are allowed by default. However, testing setups
commonly put the <a>remote end</a> and <a>local end</a> on different
network hosts. Users deploying such a setup are encouraged to
restrict access to the remote end to the greatest extent possible,
either by restricting network connections to trusted hosts (e.g. in
the case of a lab setting, or the remote end running in a containers
on the same bridged network), or by routing all connections through
an <a>intermediary node</a> that provides authorization and
authentication. <a>Remote end</a> implementors are encouraged to
provide minimal, opt-in, configuration to support these scenarios.

<p>It is also suggested that user agents
make an effort to visually distinguish
Expand Down

0 comments on commit b3adb90

Please sign in to comment.