[taviso]

This is true, although until recently it was possible to use DNS rebinding to get the list of guids!

I actually saw people leaving this enabled so much in shipping products, I wrote a little utility to test for it.

https://github.com/taviso/cefdebug

[ff7c11]

Thanks that's really interesting, as I see from your reports you could call /json/list with rebinding to get the guid. For the past 2 years it now validates the Host header.