[tor-bugs] #18080 [Tor Browser]: Do not strip the Access-Control-Allow-Origin header
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jan 20 09:16:35 UTC 2016
#18080: Do not strip the Access-Control-Allow-Origin header
-------------------------+-----------------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: needs_information
Priority: Medium | Milestone:
Component: Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Sponsor: |
-------------------------+-----------------------------------
Comment (by gk):
Replying to [comment:7 cypherpunks]:
> The steps to reproduce this issue reliably are now
>
> 1. Go to [https://onionoo.torproject.org/summary?limit=1].
> 2. Open the Firefox Developer Tools window.
> 3. Go to the Network tab.
> 4. Use a new Tor circuit for the page.
> 5. The Access-Control-Allow-Origin header should now be among the
response headers of the first shown request.
> 6. Refresh the page with F5.
> 7. The Access-Control-Allow-Origin header isn't among the response
headers of the first shown request anymore.
This happens in a vanilla Firefox as well and is probably related to the
refresh behavior done via F5. If I reload the page with Ctrl+Shift+R I
always get the Access-Control-Allow-Origin header. So, I guess this is not
a bug. That said, while testing I did not encounter the "Cross-Origin
Request Blocked:"-message. Thus, there might still be more to it. How can
I reproduce that one?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18080#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list