DNS rebinding vulnerability

Even if #19626 is fixed, the HTTP interface is still subject to CSRF via DNS rebinding. An expert opinion is required here.

I guess a session identifier should be required for all requests with an Origin header, e.g.:

/browse.xml?dir=foobar&hosthash=XXX

where XXX is a secure HMAC of the expected Origin header value with a pseudo-random secret (generated at start-up).