See https://incompleteness.me/blog/2007/04/18/csrf-anti-dns-pinning-and-ntlm/