[tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
Yuri
yuri at rawbw.com
Wed Jan 22 00:39:05 UTC 2014
On 01/21/2014 15:20, TT Security wrote:
> Mozilla developers don't like such insignificant(from their point of
> view) :)
> Just ask Gijs Kruitbosch there: what would be if some application will
> send "Access-Control-Allow-Origin: *" in response?
>
> And he will answer to you: this is not the problem of firefox! :))
> you'll need control applications on your computer yourself, so if some
> application will reply with this header Firefox will allow ANY
> web-site from the global web read the reply and save it on its server :)
> This is like Firefox works now! :)
> They don't think forward!
> For example, IE and Opera don't allow acces to LAN resources from
> global web-sites by default.
Yes, I agree with you.
This is the situation which is currently not covered by any particular
web standard, therefore this is a gray area. I am sure CORS designers
didn't mean to allow global->LAN data access through XMLHttpRequest. And
browser developers being busy with other things just stick to the path
of least resistance.
Chrome developers already rejected this PR because this isn't requested
by standards. And FF will probably do the same.
Yuri
More information about the tor-talk
mailing list