security: posting to unprepared resources #43
Description
the 20160926 version does acknowledge that having a server tell one where to post to does pose a security risk in the loopback note in 3.2, but does refer to that in the security considerations section.
furthermore, it is my impression that the loopback criterion is insufficient: resources exclusively protected by origin policies could be present anywhere inside a link-local, vpn or firewalled network. have other means of protection been explored? first thing that comes to my mind would be a pre-flight OPTIONS that checks for an "i'm an inbox" indicator, especially given that for anything but application/ld+json payload, such a pre-flight request is mandatory anyway.