On 01/20/2014 16:25, Gerardus Hendricks wrote:
With Tor Browser Bundle default settings any web-site can access to local resources by JavaScript and XMLHttpRequest.Could you please explain why the same-origin policy of Firefox doesn't prevent this?
Which 'same-origin policy' are you referring to?I only see security.fileuri.strict_origin_policy in FF, and it only applies to the file URIs (as its name says). Otherwise, cross origin access is allowed, as demoed here http://www.leggetter.co.uk/2010/03/12/making-cross-domain-javascript-requests-using-xmlhttprequest-or-xdomainrequest.html
Browsers should not allow cross origin from global URI to local URIs and loopback addresses. There are only 3 classes of local IPs + loopback address. I am not able to verify this now. But if browser allows this, this is a major security violation.
The danger of such cross-origin access is that the remote site can use this to learn something about the local network of the client, which should be disallowed.
Yuri -- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk