Access from a local file

Martin Fick mogulguy at yahoo.com
Wed Feb 17 22:27:50 UTC 2010


--- On Wed, 2/17/10, downie - <downgeoff2 at hotmail.com> wrote:

> > One of the reasons is to prevent malicious users from
> including file:// urls in an external webpage.  With file://
> urls, a webpage could be designed to test for the existence
> of local files on your computer. 
> 
> How? Same origin policy prevents an external website from
> accessing any local files directly. And the 'onload'
> trick detailed at
> http://72.32.12.210/archives/vulnwatch/2002-q2/0032.html
> doesn't work (FF2 OSX anyway) because the images or
> Iframes never load from local resources at all.
> Do you have a Proof of Concept?

No because, as you say, it is prevented.  I was explaining 
WHY (or at least some reasons why) it is prevented.  In
other words, I was explaining why such a policy exists in
firefox.  However, I believe that you can do these things
in Internet Explorer...

-Martin



      
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/



More information about the tor-talk mailing list