[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #10686 [TorBrowserButton]: Tor allows Cross-Site Request initiations to localhost

Subject: Re: [tor-bugs] #10686 [TorBrowserButton]: Tor allows Cross-Site Request initiations to localhost
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Tue, 21 Jan 2014 14:42:21 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 21 Jan 2014 09:42:20 -0500
In-reply-to: <057.b0e4c1522cf11cc254ede27912fa5dd9@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <057.b0e4c1522cf11cc254ede27912fa5dd9@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#10686: Tor allows Cross-Site Request initiations to localhost
-----------------------------------+-----------------------
     Reporter:  GerardusHendricks  |      Owner:  mikeperry
         Type:  defect             |     Status:  new
     Priority:  major              |  Milestone:
    Component:  TorBrowserButton   |    Version:
   Resolution:                     |   Keywords:
Actual Points:                     |  Parent ID:
       Points:                     |
-----------------------------------+-----------------------

Comment (by cypherpunks):

 >Solutions would include removing localhost from being included from "No
 proxy for"
 #10165 localhost already removed from excluding and bypasses proxy
 You can't remove 127.0.0.1 too, else some part of Firefox code will go to
 communicate with itself via Tor. Or you need to verify it's impossible to
 happen.

 >or enabling NoScripts Application Boundaries Enforcer.
 depends what actually does Noscripts' ABE for that case.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10686#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #10686 [TorBrowserButton]: Tor allows Cross-Site Request initiations to localhost
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #9901 [TorBrowserButton]: DoS of TBB 2.4/3.0 when no Content-Type header and more than 512 bytes of content are sent
Next by Author: Re: [tor-bugs] #10686 [TorBrowserButton]: Tor allows Cross-Site Request initiations to localhost
Previous by thread: [tor-bugs] #10686 [TorBrowserButton]: Tor allows Cross-Site Request initiations to localhost
Next by thread: Re: [tor-bugs] #10686 [TorBrowserButton]: Tor allows Cross-Site Request initiations to localhost
Index(es):
- Author
- Thread