[tbb-bugs] #18080 [Tor Browser]: Do not strip the Access-Control-Allow-Origin header
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Jan 17 10:57:03 UTC 2016
#18080: Do not strip the Access-Control-Allow-Origin header
-----------------------------+----------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Tor Browser | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Sponsor:
-----------------------------+----------------------
It seems Tor Browser sometimes strips the Access-Control-Allow-Origin
header. I ran into the issue when using Globe. When the header is stripped
the browser console contains the warning
{{{
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the
remote resource at
https://onionoo.torproject.org/details?lookup=299F0933E93B6571ED1CB3D52090E6E13D62427C.
(Reason: CORS header 'Access-Control-Allow-Origin' missing).
}}}
The reasons why i believe Tor Browser is the cause are
1. Onionoo explicitly sets the
[https://gitweb.torproject.org/onionoo.git/tree/src/main/java/org/torproject/onionoo/server/ResourceServlet.java#n343
header].
2. Responses from direct requests to an
[https://onionoo.torproject.org/summary?limit=4 Onionoo resource] using
Tor Browser sometimes do not show the header in the Network Monitor.
3. Responses from direct requests to the same Onionoo resource using curl
consistently contain the header.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18080>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list