[tor-bugs] #10419 [Firefox Patch Issues]: Can requests to 127.0.0.1 be used to fingerprint the browser?
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Jan 24 11:56:22 UTC 2014
#10419: Can requests to 127.0.0.1 be used to fingerprint the browser?
-------------------------------------+-------------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: task | Status: needs_review
Priority: major | Milestone:
Component: Firefox Patch | Version:
Issues | Keywords: tbb-fingerprinting,
Resolution: | tbb-pref, MikePerry201401R
Actual Points: | Parent ID:
Points: |
-------------------------------------+-------------------------------------
Comment (by oc):
In the meantime, exploring smarter safe policies: Yuri has theorized
[https://bugzilla.mozilla.org/show_bug.cgi?id=962017#c5 cross-network
policies that go beyond CORS] in a ''general browser context'':
> CORS http://www.w3.org/TR/cors/ talks how server can accept or not
accepr cross-origin requests using special http headers. However, '''this
should only apply only from narrower to wider network direction'''. So it
should apply for global->global, or LAN->global, or loopback->LAN, etc.
> But cross-origin should never be allowed in these situations:
global->LAN, global->loopback, LAN->loopback.
> Browser should have special rule disallowing such cross-origin access as
security violation.
In a ''TBB context'' we might want to:
* block narrower-to-wider as well (''eg'' LAN->global may
[https://trac.torproject.org/projects/tor/ticket/10419#comment:20 leak
your Tor exit node])
* but still allow same-network traffic: lo->lo, LAN->LAN, WAN->WAN
What do you think?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10419#comment:23>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list