[tor-talk] Security issue
Yuri
yuri at rawbw.com
Tue Jan 21 08:55:20 UTC 2014
On 01/20/2014 16:25, Gerardus Hendricks wrote:
>
>> With Tor Browser Bundle default settings any web-site can access to
>> local resources by JavaScript and XMLHttpRequest.
>
> Could you please explain why the same-origin policy of Firefox doesn't
> prevent this?
Which 'same-origin policy' are you referring to?
I only see security.fileuri.strict_origin_policy in FF, and it only
applies to the file URIs (as its name says).
Otherwise, cross origin access is allowed, as demoed here
http://www.leggetter.co.uk/2010/03/12/making-cross-domain-javascript-requests-using-xmlhttprequest-or-xdomainrequest.html
Browsers should not allow cross origin from global URI to local URIs and
loopback addresses. There are only 3 classes of local IPs + loopback
address.
I am not able to verify this now. But if browser allows this, this is a
major security violation.
The danger of such cross-origin access is that the remote site can use
this to learn something about the local network of the client, which
should be disallowed.
Yuri
More information about the tor-talk
mailing list