[ianhowson]

I would suggest that all requests must require a DNS lookup. No requests directly to IP addresses, full stop.

This prevents LAN enumeration from random websites. This is not a big deal for most home networks, but I shudder to think of the damage one could do in a standard corporate network.

It doesn't help with routers with well-known config URLs.

Yes, I realize that this will break a bunch of stuff.

(Edit: OK, DNS rebinding mostly breaks this proposal. Let me think about this harder.)

[cortesoft]

How would this help at all? You could just have your domain return LAN various LAN ips for different domains... there are already a ton of domains that return 127.0.0.1 for you. It would be trivial to make your own to do every possible IP.... something like 127.0.0.1.myfakedomain.com, where it dynamically extracts the IP and returns it.