Le 21/01/2014 10:58, Mike Cardwell a écrit : > There is some misunderstanding of cross-origin policy here. Cross-origin > policy does not prevent the cross-origin request from taking place. It > only prevents you from being able to read the response.
Indeed. But being able to send requests to arbitrary *LAN* host:port and get back discriminating answers allows easy scanning. A JS script might scan the entire LAN, test firewall policies, and xhr the result back to the originating website. > There would be no point in preventing the request from taking place > as people can initiate them already, without even using JavaScript. > For example, the above request could have been made by just sticking > this in some HTML: > > <img src="http://127.0.0.1:1234/";> Indeed, and detect timeouts/errors via javascript? The XHR method seems to provide more information and a more reliable interface for scanning/network fingerprinting though (you can even test LAN web servers CORS policy) -- I haven't looked into it deep enough to be sure. I'm not sure how this is all a good default for regular browsing, yet it is clearly unacceptable in a TBB context: it makes (FOXACID) LAN fingerprinting a breeze. -- Olivier Cornu -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
