[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default



On 01/21/2014 15:20, TT Security wrote:
Mozilla developers don't like such insignificant(from their point of view) :) Just ask Gijs Kruitbosch there: what would be if some application will send "Access-Control-Allow-Origin: *" in response?

And he will answer to you: this is not the problem of firefox! :)) you'll need control applications on your computer yourself, so if some application will reply with this header Firefox will allow ANY web-site from the global web read the reply and save it on its server :)
This is like Firefox works now! :)
They don't think forward!
For example, IE and Opera don't allow acces to LAN resources from global web-sites by default.


Yes, I agree with you.

This is the situation which is currently not covered by any particular web standard, therefore this is a gray area. I am sure CORS designers didn't mean to allow global->LAN data access through XMLHttpRequest. And browser developers being busy with other things just stick to the path of least resistance.

Chrome developers already rejected this PR because this isn't requested by standards. And FF will probably do the same.

Yuri
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk