[tor-bugs] #18080 [Tor Browser]: Do not strip the Access-Control-Allow-Origin header

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jan 19 22:14:30 UTC 2016


#18080: Do not strip the Access-Control-Allow-Origin header
-------------------------+-----------------------------------
 Reporter:  cypherpunks  |          Owner:  tbb-team
     Type:  defect       |         Status:  needs_information
 Priority:  Medium       |      Milestone:
Component:  Tor Browser  |        Version:
 Severity:  Normal       |     Resolution:
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
  Sponsor:               |
-------------------------+-----------------------------------

Comment (by cypherpunks):

 Replying to [comment:5 bugzilla]:
 > Replying to [comment:4 cypherpunks]:
 > > Replying to [comment:3 bugzilla]:
 > > > Oops, algorithm in comment:2 is not so plain: first request is the
 second actually (first was in step 1)
 > > If the Firefox Developer Tools window isn't open at step 1, the
 Network tab doesn't show any requests when you first open it. With the
 first request i meant the first one in the request list in the Network tab
 after the refresh at step 4. There should be only one request in this list
 because the page i linked has no other resources it needs to load.
 Furthermore, the list of requests gets cleared after each refresh (which
 is the default unless the setting has been changed).
 > Not first request, but first shown request.
 This is what i meant, next time I'll use better wording.

 > > > it always misses header on alpha
 > > Does loading node information on [https://globe.torproject.org/] work
 for you on alpha when the header is missing?
 > Cross-Origin Request Blocked: The Same Origin Policy disallows reading
 the remote resource at
 https://onionoo.torproject.org/details?lookup=D4125249A474408F0FBA4DB15AC207E31E4CF6B3.
 (Reason: CORS header 'Access-Control-Allow-Origin' missing).
 This is the same error i got (see ticket description), so having that
 header go missing really is a problem.
 > > > except exitnode was changed by timeout
 > > Did the exit node change alter the responses you got?
 > The header is always present after New Circuit.
 I didn't test this before, but now that i did i see the same behavior.
 > > > how can it reappear if algorithm states to update only when header
 is not missing?
 > > This could happen when you continue to refresh after you found that
 the header is missing. The steps are only to reproduce the missing header
 case.
 > The header is always missed on step 5, so step 6 = false, why go to 4
 (refresh)?
 Because previously the header didn't always go missing after the first
 refresh. Using a new circuit makes reproducing the issue reliable, thanks
 for pointing this out.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18080#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list