[tor-bugs] #10686 [TorBrowserButton]: Tor allows Cross-Site Request initiations to localhost
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jan 21 14:42:21 UTC 2014
#10686: Tor allows Cross-Site Request initiations to localhost
-----------------------------------+-----------------------
Reporter: GerardusHendricks | Owner: mikeperry
Type: defect | Status: new
Priority: major | Milestone:
Component: TorBrowserButton | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
-----------------------------------+-----------------------
Comment (by cypherpunks):
>Solutions would include removing localhost from being included from "No
proxy for"
#10165 localhost already removed from excluding and bypasses proxy
You can't remove 127.0.0.1 too, else some part of Firefox code will go to
communicate with itself via Tor. Or you need to verify it's impossible to
happen.
>or enabling NoScripts Application Boundaries Enforcer.
depends what actually does Noscripts' ABE for that case.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10686#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list