-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I see the same behaviour with the latest Chrome running Linux:
$ nc -l -p 1234 GET / HTTP/1.1 Host: 127.0.0.1:1234 Connection: keep-alive User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36 Origin: http://tortestprivacy.url.ph Accept: */* DNT: 1 Referer: http://tortestprivacy.url.ph/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8,de;q=0.6 So, appearently, Google does not enforce a same origin policy on this, either. On 21.01.2014 10:01, Olivier Cornu wrote: > Le 21/01/2014 05:06, TT Security a écrit : >> >>> I don't think browsers in general allow connections on >>> loopback interfaces, unless explicitly requested by users. >> >> I have Tor Browser Bundle 3.5 and Firefox 24.2.0 from there. Just >> open some port on your computer(only for testing) for example >> local web-server and try with Firefox from Tor Browser Bundle >> this page: http://tortestprivacy.url.ph/ You will see :) > > Fwiw, I can confirm this unfortunate behavior. :( TBB connecting to > loopback netcat socket from tortestprivacy.url.ph javascript: > > $ nc -l -p 1234 GET / HTTP/1.1 Host: 127.0.0.1:1234 User-Agent: > Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 > Firefox/26.0 Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 > Accept-Encoding: gzip, deflate DNT: 1 Referer: > http://tortestprivacy.url.ph/ Origin: http://tortestprivacy.url.ph > Connection: keep-alive > > -- Olivier Cornu > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJ8BAEBCgBmBQJS3jtgXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEM0ODA5N0EzQUY3RDU1MTg5QTc3QUMx NjlGOTYyNDM0MDg4MjVFAAoJEBafliQ0CIJe2pkP/RwQdxu+NqVfwd9RAj6gGIHd j24P19ci8Q1wTGsVh0Ci9bMUrJ/l3q3HohQZeQVYIGNiQKlioTe8qifloC2PGuO+ 18Nrp7rdV7hw1qNY9ME89v9AEaLrk3f+p340DYM3JxPC1rpfUdzROKuSvqoHVozY Upo+j7iZnF95ZQghp3lGXUYbtcirwMGRN6RwE6ngEdDEe3YIEAN5s9Zo0wcMw4I+ u8B2X5vyjZqfrVRgR4dOzqifTJnfyZTfPldvuGZ2WVV4GKDuVnRJveHSZtzRdGv0 hhILrmxBmCgJpJtTLowOOHIKlf2gPwQE1gqKuhvVaHF8w6gdqx36M/Do3GCRt6D4 R9+pEBJUKL+KUZQCINwEFSVclsBqF9EXEXiZkmCVvFEp+KDU/losY0gTKIY1LmCz MqJiRdHukaSfAmeFkohCJDkhf3AjYhye9Oo/3u2iSCHMa9oDXrH+MQ4L/xhXo6Pb e7ATh+L/ZNi10abGoOYJOTj1d+a9qd8U+CtTowR3R3+lewOvCReDaj45gu2m0zuZ AJsgassleJ21dXEOcVjbnaCI2FyvbQZRwwu96Dao1WTIkkAugDKHnZzitoQxM6AM 8R/1K6M5mPlweRE4RfHS3dJPkzF/dKhNZOg7KMQdLbiD4RFTR0ELr4zrjmoisasb ixKnhVk1Zhp2835Dw+yf =n+gx -----END PGP SIGNATURE----- -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
