[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default



On 01/21/2014 02:08, Mike Cardwell wrote:
If you can use XMLHttpRequest to perform a request against a machine
on your LAN that isn't using CORS, and then read the response, then
there is a bug, and you will get a healthily sized cheque from Google
or Mozilla for reporting it to them. If you can't read the response
then there isn't a bug. What you're seeing is: how the web works.

I think CORS request from global URI into local URL is plain illegal. Global site can't even be doing this, no matter what CORS say. This is beyond the scope of CORS. Global sites can't see local services, no matter what services exist in LAN, and no matter if they use CORS or not.

How can request from www.yahoo.com contain 192.168.1.10 in it? This is just invalid.

Yuri
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk