[tbb-bugs] #32255 [Applications/Tor Browser]: Missing ORIGIN header breaks CORS in Tor Browser 9.0

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Nov 1 07:48:35 UTC 2019


#32255: Missing ORIGIN header breaks CORS in Tor Browser 9.0
-------------------------------------------------+-------------------------
 Reporter:  complexparadox                       |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-9.0-issues, tbb-9.0.1-can, tbb-  |  Actual Points:
  regression, TorBrowserTeam201910               |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by gk):

 Hm! The idea behind the pref was avoiding information leakage when coming
 from an .onion domain while requesting a non-onion one. See: #22320 for a
 scenario.

 The patch that got uplifted
 (https://bugzilla.mozilla.org/show_bug.cgi?id=1305144) strips the Referer
 header if the domain in that header would be a .onion one (it does not
 matter whether the target domain is a .onion or not)

 So, the question here is: should the Origin header follow that model to
 prevent information leakage or is the usecase a different one (or better:
 are there use-cases that are different enough from the Referer one that we
 need a more nuanced approach here)?

 I am not sure yet, to be honest.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32255#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list