Being a network security specialist, I’ll ask these basic questions:

• what’s the universal definition of a private network?
• does this measure make sense in IPv6 within the global scope?
• is it the responsibility of the browser to secure against DNS rebinding?

My answers to these questions are:

• there is no universal definition, so this approach is doomed by design
• no
• heck, no; that’s the job of the webserver, by avoiding the so-called default virtual host. The Host/:authority header should always be verified, and this is sufficient to counter all forms of DNS rebinding.

There is pretty much no legitimate reason that a site from the internet should access the local network.

The only exception I’ve seen to this is Synology having a NAS finder webapp where it searches your local network for a Synology device and tells you the IP address. But that’s a tiny niche use case and there are other ways of finding it that doesn’t involve a website (the device broadcasts its identity and has a hostname FFS). Any open source IP scanner will find it instantly, or in many networks you can just type in the hostname into your browser like a domain.

It’s about time, attackers can extract quite a bit of data about the local network via the browser. It’s pretty easy to identify appliances and home routers given someone stays on a site long enough.

I thought this was something that they already patched. Good on Google this time