[tbb-bugs] #32255 [Applications/Tor Browser]: Missing ORIGIN header breaks CORS in Tor Browser 9.0

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Nov 4 14:36:49 UTC 2019 

#32255: Missing ORIGIN header breaks CORS in Tor Browser 9.0
-------------------------------------------------+-------------------------
 Reporter:  complexparadox                       |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-9.0-issues, tbb-9.0.1-can, tbb-  |  Actual Points:
  regression, TorBrowserTeam201910               |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by acat):

 If I understand it correctly, if we talk about `Referer` headers this
 patch is currently only making it easier to not leak the .onion referrer
 by default, but it should be possible to achieve the same via the right
 `Referrer-Policy`, right?

 With `Origin` I think it's different, because the patch allows something
 that *I think* is not possible in regular browsers: to issue xhr (fetch,
 xmlhttprequest) requests without the `Origin` header. Well, it's possible
 to do with `fetch` + `mode: no-cors` option, but you only get an "opaque"
 response.

 I'm also not sure about what we should do here. One possibility would be
 to simply go back to previous esr60 behaviour and not strip the `Origin`
 header for xhr requests. This however would make it not possible to do
 `fetch` requests without `Origin`. While that's what happens in regular
 browsers, I think being able to do fetch requests without `Origin` can be
 useful for .onion websites.

 If we want to keep the current default behaviour, one possibility for
 people that need CORS in .onions could be to make `Origin/Referer` headers
 opt-in based on the page (or fetch API) `Referrer-Policy`. While linking
 the `Origin` header to the `Referrer-Policy` might be surprising (and non-
 standard), I think it would be safe to assume that a website that has an
 explicit policy like `no-referrer-when-downgrade` would be fine to have
 both `Referer` and `Origin` header in requests. If this approach would
 work, I guess we could change the default `Referrer-Policy` from `no-
 referrer-when-downgrade` to something like `same-origin`.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32255#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list