[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
From: Yuri <yuri@xxxxxxxxx>
Date: Tue, 21 Jan 2014 16:39:05 -0800
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 21 Jan 2014 19:42:49 -0500
In-reply-to: <1390346434.539922.1289.57209@xxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <52DE4FA8.7010709@xxxxxxxxx> <1390346434.539922.1289.57209@xxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0

On 01/21/2014 15:20, TT Security wrote:

Mozilla developers don't like such insignificant(from their point ofview) :)Just ask Gijs Kruitbosch there: what would be if some application willsend "Access-Control-Allow-Origin: *" in response?
And he will answer to you: this is not the problem of firefox! :))you'll need control applications on your computer yourself, so if someapplication will reply with this header Firefox will allow ANYweb-site from the global web read the reply and save it on its server :)
This is like Firefox works now! :)
They don't think forward!
For example, IE and Opera don't allow acces to LAN resources fromglobal web-sites by default.



Yes, I agree with you.

This is the situation which is currently not covered by any particularweb standard, therefore this is a gray area. I am sure CORS designersdidn't mean to allow global->LAN data access through XMLHttpRequest. Andbrowser developers being busy with other things just stick to the pathof least resistance.

Chrome developers already rejected this PR because this isn't requestedby standards. And FF will probably do the same.


Yuri
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- Re: [tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
  - From: Yuri
- Re: [tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
  - From: TT Security

Prev by Author: Re: [tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
Next by Author: Re: [tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
Previous by thread: Re: [tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
Next by thread: Re: [tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
Index(es):
- Author
- Thread