-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Christ. Chrome even allows to connect to other machines in LAN. I successfully connected to my Raspberry Pi (only reachable via LAN) by changing the IP in the source code from 127.0.0.1 to the relevant IP.
So, appearently, Chrome allows you to enumerate the LAN and interact with other machines in it. I'll see if there is a bug report for that already. Thanks for the Info, TT Security. On 21.01.2014 10:18, Max Jakob Maass wrote: > I see the same behaviour with the latest Chrome running Linux: > > $ nc -l -p 1234 GET / HTTP/1.1 Host: 127.0.0.1:1234 Connection: > keep-alive User-Agent: Mozilla/5.0 (X11; Linux x86_64) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 > Safari/537.36 Origin: http://tortestprivacy.url.ph Accept: */* DNT: > 1 Referer: http://tortestprivacy.url.ph/ Accept-Encoding: > gzip,deflate,sdch Accept-Language: en-US,en;q=0.8,de;q=0.6 > > So, appearently, Google does not enforce a same origin policy on > this, either. > > On 21.01.2014 10:01, Olivier Cornu wrote: >> Le 21/01/2014 05:06, TT Security a écrit : >>> >>>> I don't think browsers in general allow connections on >>>> loopback interfaces, unless explicitly requested by users. >>> >>> I have Tor Browser Bundle 3.5 and Firefox 24.2.0 from there. >>> Just open some port on your computer(only for testing) for >>> example local web-server and try with Firefox from Tor Browser >>> Bundle this page: http://tortestprivacy.url.ph/ You will see >>> :) > >> Fwiw, I can confirm this unfortunate behavior. :( TBB connecting >> to loopback netcat socket from tortestprivacy.url.ph javascript: > >> $ nc -l -p 1234 GET / HTTP/1.1 Host: 127.0.0.1:1234 User-Agent: >> Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 >> Firefox/26.0 Accept: >> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 >> Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 >> Accept-Encoding: gzip, deflate DNT: 1 Referer: >> http://tortestprivacy.url.ph/ Origin: >> http://tortestprivacy.url.ph Connection: keep-alive > >> -- Olivier Cornu > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJ8BAEBCgBmBQJS3j29XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEM0ODA5N0EzQUY3RDU1MTg5QTc3QUMx NjlGOTYyNDM0MDg4MjVFAAoJEBafliQ0CIJeiK4P/2JXkXYIxw0aCu1OLTzmrhoo IbiEV9QUX3wvJgPurvBAkkFQ1KMpaEzdf+b8rpNQFGdQi6tzLudwmujNHC+9iHSj 04RAAzFXjAvVgvJb6iuho3deuAX3GBCbLCn0eYknIFGhOoINWqLrbaTMPmyL1xS8 wT6pejndKwpNpONAt2zcxLa+Xb4VMLL58DZywLAFjMqcf12oaNzCPYkPxli0oPcN ge8Liv5150S0uEY0GUXaGsTlrtmaLSHaxlCjFD6x7qvI+Yhx5wiFmwBpBpcxS3zX ij/qoisuNjNtagro78yq3Y+F+v+LGhk4udNFMZPco7STHTKhn8tAkio/SLzbj9ee 7DfpIAJM6FhpZ9f1iIw8Cr1nb8Nnna81jyAGdtt5gE3sVla3WmdiTTsUutp7UITS osYacb16JaMcBCFeTW9tCjRAwFbntkqEvJubE8xbWWq+Pl9HI1dHt1fYX2hqth1R 5jAnO7pgqegqOAhWvz1QjJT83J/OaeeHB1GMEbiFxOx4ajHSkvQp7Kawnt9XwHou 4wQQw711vLtBY5RzTpsGNUMilIHBdZxMGy3prKBxgZmWD279DW98CFlw3BgYzv/q 4TuORyc86dqHDSAUFY5/2tmr70ibQ3gsOVKUfKTdtqL6zAv/FhurTmnTffPD1tER c5LrU/4HESK4zO0cnNGB =Az85 -----END PGP SIGNATURE----- -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
