Re: [tor-bugs] #10686 [TorBrowserButton]: Tor allows Cross-Site Request initiations to localhost

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#10686: Tor allows Cross-Site Request initiations to localhost
-----------------------------------+-----------------------
     Reporter:  GerardusHendricks  |      Owner:  mikeperry
         Type:  defect             |     Status:  new
     Priority:  major              |  Milestone:
    Component:  TorBrowserButton   |    Version:
   Resolution:                     |   Keywords:
Actual Points:                     |  Parent ID:
       Points:                     |
-----------------------------------+-----------------------

Comment (by cypherpunks):

 (Well hello this is awkward, you can refer to me as cypherpunks2)

 Replying to [comment:1 cypherpunks]:
 > You can't remove 127.0.0.1 too, else some part of Firefox code will go
 to communicate with itself via Tor.

 Can you elaborate what you mean by this? Which Firefox code are you
 referring to?

 If I set

 {{{
 user_pref("extensions.torbutton.no_proxies_on", "");
 user_pref("extensions.torbutton.saved.no_proxies_on", "");
 user_pref("network.proxy.no_proxies_on", "");
 }}}

 and then try to connect to http://127.0.0.1:631 (the CUPS printer
 interface), as expected, tor rejects the connection:

 {{{
 [warn] Rejecting SOCKS request for anonymous connection to private address
 [scrubbed].
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10686#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs