[tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default

Yuri yuri at rawbw.com
Wed Jan 22 00:39:05 UTC 2014


On 01/21/2014 15:20, TT Security wrote:
> Mozilla developers don't like such insignificant(from their point of 
> view) :)
> Just ask Gijs Kruitbosch there: what would be if some application will 
> send "Access-Control-Allow-Origin: *" in response?
>
> And he will answer to you: this is not the problem of firefox! :)) 
> you'll need control applications on your computer yourself, so if some 
> application will reply with this header Firefox will allow ANY 
> web-site from the global web read the reply and save it on its server :)
> This is like Firefox works now! :)
> They don't think forward!
> For example, IE and Opera don't allow acces to LAN resources from 
> global web-sites by default.


Yes, I agree with you.

This is the situation which is currently not covered by any particular 
web standard, therefore this is a gray area. I am sure CORS designers 
didn't mean to allow global->LAN data access through XMLHttpRequest. And 
browser developers being busy with other things just stick to the path 
of least resistance.

Chrome developers already rejected this PR because this isn't requested 
by standards. And FF will probably do the same.

Yuri


More information about the tor-talk mailing list