On 01/20/2014 16:25, Gerardus Hendricks wrote:
With Tor Browser Bundle default settings any web-site can access to
local resources by JavaScript and XMLHttpRequest.
Could you please explain why the same-origin policy of Firefox doesn't
prevent this?
Which 'same-origin policy' are you referring to?
I only see security.fileuri.strict_origin_policy in FF, and it only
applies to the file URIs (as its name says).
Otherwise, cross origin access is allowed, as demoed here
http://www.leggetter.co.uk/2010/03/12/making-cross-domain-javascript-requests-using-xmlhttprequest-or-xdomainrequest.html
Browsers should not allow cross origin from global URI to local URIs and
loopback addresses. There are only 3 classes of local IPs + loopback
address.
I am not able to verify this now. But if browser allows this, this is a
major security violation.
The danger of such cross-origin access is that the remote site can use
this to learn something about the local network of the client, which
should be disallowed.
Yuri
--
tor-talk mailing list - [email protected]
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
