[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Security issue



On 01/20/2014 16:25, Gerardus Hendricks wrote:

With Tor Browser Bundle default settings any web-site can access to
local resources by JavaScript and XMLHttpRequest.

Could you please explain why the same-origin policy of Firefox doesn't prevent this?


Which 'same-origin policy' are you referring to?
I only see security.fileuri.strict_origin_policy in FF, and it only applies to the file URIs (as its name says). Otherwise, cross origin access is allowed, as demoed here http://www.leggetter.co.uk/2010/03/12/making-cross-domain-javascript-requests-using-xmlhttprequest-or-xdomainrequest.html

Browsers should not allow cross origin from global URI to local URIs and loopback addresses. There are only 3 classes of local IPs + loopback address. I am not able to verify this now. But if browser allows this, this is a major security violation.

The danger of such cross-origin access is that the remote site can use this to learn something about the local network of the client, which should be disallowed.

Yuri
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk