[tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
Yuri
yuri at rawbw.com
Tue Jan 21 11:23:11 UTC 2014
On 01/21/2014 02:08, Mike Cardwell wrote:
> If you can use XMLHttpRequest to perform a request against a machine
> on your LAN that isn't using CORS, and then read the response, then
> there is a bug, and you will get a healthily sized cheque from Google
> or Mozilla for reporting it to them. If you can't read the response
> then there isn't a bug. What you're seeing is: how the web works.
I think CORS request from global URI into local URL is plain illegal.
Global site can't even be doing this, no matter what CORS say. This is
beyond the scope of CORS. Global sites can't see local services, no
matter what services exist in LAN, and no matter if they use CORS or not.
How can request from www.yahoo.com contain 192.168.1.10 in it? This is
just invalid.
Yuri
More information about the tor-talk
mailing list