* on the Tue, Jan 21, 2014 at 10:18:26AM +0100, Max Jakob Maass wrote: > $ nc -l -p 1234 > GET / HTTP/1.1 > Host: 127.0.0.1:1234 > Connection: keep-alive > User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, > like Gecko) Chrome/32.0.1700.77 Safari/537.36 > Origin: http://tortestprivacy.url.ph > Accept: */* > DNT: 1 > Referer: http://tortestprivacy.url.ph/ > Accept-Encoding: gzip,deflate,sdch > Accept-Language: en-US,en;q=0.8,de;q=0.6 > > So, appearently, Google does not enforce a same origin policy on this, > either. There is some misunderstanding of cross-origin policy here. Cross-origin policy does not prevent the cross-origin request from taking place. It only prevents you from being able to read the response. There would be no point in preventing the request from taking place as people can initiate them already, without even using JavaScript. For example, the above request could have been made by just sticking this in some HTML: <img src="http://127.0.0.1:1234/";> There is no cross-origin policy violation by doing that. You can not read the response of a cross-origin AJAX request *unless* an Access-Control-Allow-Origin header is returned with the response, and only if that Access-Control-Allow-Origin header allows your particular origin (or all origins) to do so. -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk