Tor allows Cross-Site Request initiations to localhost
Please also see the discussion on the Tor-Talk mailing list:
I'll try to condense the discussion into a single problem. I have not tried to reproduce this myself, but several people confirm the behaviour on the list.
User TT-Security points out that the Tor Browser Bundle allows any website to initiate cross-site requests to localhost. This is possible because the Tor Browser proxy settings exempts "localhost, 127.0.0.1" from using he proxy (see Options -> Advanced -> Network -> Settings -> No proxy for).
I said "initiate" requests, because the Same-Origin policy of Firefox in most cases prevents the website from reading the localhost response, because the localhost server must return a HTTP Access-Control-Allow-Origin header with the appropriate value.
This is however still a problem in the Tor Browser Bundle security model, as arbitrary websites can launch requests to localhost services, even if they cannot read the response.
I must note that requests to private addresses (such as 192.168.0.1) are safe because they are properly proxied through Tor (but will of course fail).
Solutions would include removing localhost from being included from "No proxy for" or enabling NoScripts Application Boundaries Enforcer.