[tor-bugs] #10686 [TorBrowserButton]: Tor allows Cross-Site Request initiations to localhost

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jan 21 14:17:54 UTC 2014 

#10686: Tor allows Cross-Site Request initiations to localhost
-------------------------------+---------------------------
 Reporter:  GerardusHendricks  |          Owner:  mikeperry
     Type:  defect             |         Status:  new
 Priority:  major              |      Milestone:
Component:  TorBrowserButton   |        Version:
 Keywords:                     |  Actual Points:
Parent ID:                     |         Points:
-------------------------------+---------------------------
 Please also see the discussion on the Tor-Talk mailing list:

 https://lists.torproject.org/pipermail/tor-talk/2014-January/031776.html

 I'll try to condense the discussion into a single problem. I have not
 tried to reproduce this myself, but several people confirm the behaviour
 on the list.

 User TT-Security points out that the Tor Browser Bundle allows any website
 to initiate cross-site requests to localhost. This is possible because the
 Tor Browser proxy settings exempts "localhost, 127.0.0.1" from using he
 proxy (see Options -> Advanced -> Network -> Settings -> No proxy for).

 I said "initiate" requests, because the Same-Origin policy of Firefox in
 most cases prevents the website from reading the localhost response,
 because the localhost server must return a HTTP Access-Control-Allow-
 Origin header with the appropriate value.

 This is however still a problem in the Tor Browser Bundle security model,
 as arbitrary websites can launch requests to localhost services, even if
 they cannot read the response.

 I must note that requests to private addresses (such as 192.168.0.1) are
 safe because they are properly proxied through Tor (but will of course
 fail).

 Solutions would include removing localhost from being included from "No
 proxy for" or enabling NoScripts Application Boundaries Enforcer.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10686>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list