[tor-talk] Security issue
Mike Cardwell
tor at lists.grepular.com
Tue Jan 21 09:49:09 UTC 2014
* on the Tue, Jan 21, 2014 at 12:55:20AM -0800, Yuri wrote:
>>> With Tor Browser Bundle default settings any web-site can access to
>>> local resources by JavaScript and XMLHttpRequest.
>>
>> Could you please explain why the same-origin policy of Firefox doesn't
>> prevent this?
>
> Which 'same-origin policy' are you referring to?
The one that is core to the way that the web allows different origins to
interact with each other:
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript
> I only see security.fileuri.strict_origin_policy in FF, and it only
> applies to the file URIs (as its name says).
It's not a Firefox thing, it's a "Web" thing.
> Otherwise, cross origin access is allowed, as demoed here
> http://www.leggetter.co.uk/2010/03/12/making-cross-domain-javascript-requests-using-xmlhttprequest-or-xdomainrequest.html
That's not correct. As that page explains, you can only access the
content of a cross-origin request if the "other" origin sends a HTTP
response header saying so (Access-Control-Allow-Origin). Cross origin is
prevented by default.
If you have a web server listening on 127.0.0.1 and that web server
sends a Access-Control-Allow-Origin header with it's response, then
yes, you will be able to communicate with it from other websites.
By design.
--
Mike Cardwell https://grepular.com/ http://cardwellit.com/
OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20140121/de387df5/attachment.sig>
More information about the tor-talk
mailing list