serves the _javascript_ that opens the WS should remain constant. � If WS
That's an unfortunate misunderstanding.resolves the host/domain to a different address than the HTTP it was spawned
from, it becomes a method to bypass same-origin / CORS restrictions.
All protocols that use SRV records maintain the target domain.
So a ws://example.com/xyz would still send a Host header of "example.com", whether SRV or not, so there is no impact on same origin policy, CORS, etc.
> Good to know, thank you.
Actually....I wasn't talking about the Host: header - that is totally spoofable...I was concerned about:
1. Browser client resolves example.com via old style DNS to x.x.x.x and fetches HTTP
2. Received HTML starts JS which starts WS connection
3. WS resolves example.com via DNS SRV to y.y.y.y and opens
4. WS now has access outside origin.
Please note, I did not specify why DNS SRV resolved differently than old style DNS - could be�malicious, could be an simple mistake. � � I am assuming the DNS SRV and old DNS might be answered from different servers.
Do browsers restrict origin / cross-site access based on name or on address? ��
�
_______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf