[tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default

Mike Cardwell tor at lists.grepular.com
Tue Jan 21 09:58:45 UTC 2014


* on the Tue, Jan 21, 2014 at 10:18:26AM +0100, Max Jakob Maass wrote:

> $ nc -l -p 1234
> GET / HTTP/1.1
> Host: 127.0.0.1:1234
> Connection: keep-alive
> User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
> like Gecko) Chrome/32.0.1700.77 Safari/537.36
> Origin: http://tortestprivacy.url.ph
> Accept: */*
> DNT: 1
> Referer: http://tortestprivacy.url.ph/
> Accept-Encoding: gzip,deflate,sdch
> Accept-Language: en-US,en;q=0.8,de;q=0.6
> 
> So, appearently, Google does not enforce a same origin policy on this,
> either.

There is some misunderstanding of cross-origin policy here. Cross-origin
policy does not prevent the cross-origin request from taking place. It
only prevents you from being able to read the response.

There would be no point in preventing the request from taking place
as people can initiate them already, without even using JavaScript.
For example, the above request could have been made by just sticking
this in some HTML:

<img src="http://127.0.0.1:1234/">

There is no cross-origin policy violation by doing that.

You can not read the response of a cross-origin AJAX request *unless*
an Access-Control-Allow-Origin header is returned with the response,
and only if that Access-Control-Allow-Origin header allows your
particular origin (or all origins) to do so.

-- 
Mike Cardwell  https://grepular.com/     http://cardwellit.com/
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3  B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1  BF1B 295C 3C78 3EF1 46B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20140121/b9c4092d/attachment.sig>


More information about the tor-talk mailing list