* on the Tue, Jan 21, 2014 at 11:56:42AM +0100, Olivier Cornu wrote: > > There is some misunderstanding of cross-origin policy here. Cross-origin > > policy does not prevent the cross-origin request from taking place. It > > only prevents you from being able to read the response. > > Indeed. But being able to send requests to arbitrary *LAN* host:port and > get back discriminating answers allows easy scanning. A JS script might > scan the entire LAN, test firewall policies, and xhr the result back to > the originating website. > > > There would be no point in preventing the request from taking place > > as people can initiate them already, without even using JavaScript. > > For example, the above request could have been made by just sticking > > this in some HTML: > > > > <img src="http://127.0.0.1:1234/";> > > Indeed, and detect timeouts/errors via javascript? > The XHR method seems to provide more information and a more reliable > interface for scanning/network fingerprinting though (you can even test > LAN web servers CORS policy) -- I haven't looked into it deep enough to > be sure. I don't think the XHR method provides anything above what you can do with timing load/error events on dynamically generated imgs. > I'm not sure how this is all a good default for regular browsing It is not a good default for regular browsing, but it is what we have and it is how the web was designed, and there is no way back now without replacing the web with something new. The web is too interconnected to be safe, but that interconnectedness is also what has made it as big as it is today. I personally use RequestPolicy in Firefox to prevent *all* cross-origin requests from any site to any other site, be they XHR, images or any other type of content. It has a whitelist system built in which is very similar to the way NoScript works. If I had to choose between giving up RequestPolicy or NoScript, I would give up NoScript without a second thought. > , yet it > is clearly unacceptable in a TBB context: it makes (FOXACID) LAN > fingerprinting a breeze. I don't use TBB myself, but it's my understanding that all TBB traffic goes through Tor, and thus doesn't have access to localhost or the LAN anyway, making this a non-issue... If connections are being made from TBB without going via Tor, then there is a serious leak in TBB. I'm not convinced this is happening though. -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk