Access from a local file
Martin Fick
mogulguy at yahoo.com
Wed Feb 17 22:27:50 UTC 2010
--- On Wed, 2/17/10, downie - <downgeoff2 at hotmail.com> wrote:
> > One of the reasons is to prevent malicious users from
> including file:// urls in an external webpage. With file://
> urls, a webpage could be designed to test for the existence
> of local files on your computer.
>
> How? Same origin policy prevents an external website from
> accessing any local files directly. And the 'onload'
> trick detailed at
> http://72.32.12.210/archives/vulnwatch/2002-q2/0032.html
> doesn't work (FF2 OSX anyway) because the images or
> Iframes never load from local resources at all.
> Do you have a Proof of Concept?
No because, as you say, it is prevented. I was explaining
WHY (or at least some reasons why) it is prevented. In
other words, I was explaining why such a policy exists in
firefox. However, I believe that you can do these things
in Internet Explorer...
-Martin
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
More information about the tor-talk
mailing list