* on the Tue, Jan 21, 2014 at 12:55:20AM -0800, Yuri wrote: >>> With Tor Browser Bundle default settings any web-site can access to >>> local resources by JavaScript and XMLHttpRequest. >> >> Could you please explain why the same-origin policy of Firefox doesn't >> prevent this? > > Which 'same-origin policy' are you referring to? The one that is core to the way that the web allows different origins to interact with each other: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript > I only see security.fileuri.strict_origin_policy in FF, and it only > applies to the file URIs (as its name says). It's not a Firefox thing, it's a "Web" thing. > Otherwise, cross origin access is allowed, as demoed here > http://www.leggetter.co.uk/2010/03/12/making-cross-domain-javascript-requests-using-xmlhttprequest-or-xdomainrequest.html That's not correct. As that page explains, you can only access the content of a cross-origin request if the "other" origin sends a HTTP response header saying so (Access-Control-Allow-Origin). Cross origin is prevented by default. If you have a web server listening on 127.0.0.1 and that web server sends a Access-Control-Allow-Origin header with it's response, then yes, you will be able to communicate with it from other websites. By design. -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk