For the DNS binding concern, I've been told that it's important that customers can access their consoles through either https://foo.example.net:6080 or https://192.168.8.8:6080. If we restricted access to a white list of domains, it would break that use case. Does anyone have thoughts on that?
For the http/https case, the code is checking the entire Origin, not just the domain. So, a MITM would have to spoof http://foo.example.net:6080 in order to hijack https://foo.example.net:6080. Is this the case you want to protect from? It seems that would be straightforward addition to the code... just check that the origin is HTTPS, if current connection is HTTPS.
For the DNS binding concern, I've been told that it's important that customers can access their consoles through either https:/ /foo.example. net:6080 or https:/ /192.168. 8.8:6080. If we restricted access to a white list of domains, it would break that use case. Does anyone have thoughts on that?
For the http/https case, the code is checking the entire Origin, not just the domain. So, a MITM would have to spoof http:// foo.example. net:6080 in order to hijack https:/ /foo.example. net:6080. Is this the case you want to protect from? It seems that would be straightforward addition to the code... just check that the origin is HTTPS, if current connection is HTTPS.