[tor-talk] Security issue

Mike Cardwell tor at lists.grepular.com
Tue Jan 21 09:49:09 UTC 2014


* on the Tue, Jan 21, 2014 at 12:55:20AM -0800, Yuri wrote:

>>> With Tor Browser Bundle default settings any web-site can access to
>>> local resources by JavaScript and XMLHttpRequest.
>>
>> Could you please explain why the same-origin policy of Firefox doesn't 
>> prevent this?  
> 
> Which 'same-origin policy' are you referring to?

The one that is core to the way that the web allows different origins to
interact with each other:

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript

> I only see security.fileuri.strict_origin_policy in FF, and it only 
> applies to the file URIs (as its name says).

It's not a Firefox thing, it's a "Web" thing.

> Otherwise, cross origin access is allowed, as demoed here 
> http://www.leggetter.co.uk/2010/03/12/making-cross-domain-javascript-requests-using-xmlhttprequest-or-xdomainrequest.html

That's not correct. As that page explains, you can only access the
content of a cross-origin request if the "other" origin sends a HTTP
response header saying so (Access-Control-Allow-Origin). Cross origin is
prevented by default.

If you have a web server listening on 127.0.0.1 and that web server 
sends a Access-Control-Allow-Origin header with it's response, then
yes, you will be able to communicate with it from other websites.
By design.

-- 
Mike Cardwell  https://grepular.com/     http://cardwellit.com/
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3  B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1  BF1B 295C 3C78 3EF1 46B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20140121/de387df5/attachment.sig>


More information about the tor-talk mailing list