[tor-bugs] #32255 [Applications/Tor Browser]: Missing ORIGIN header breaks CORS in Tor Browser 9.0
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Nov 7 18:42:11 UTC 2019
#32255: Missing ORIGIN header breaks CORS in Tor Browser 9.0
-------------------------------------------------+-------------------------
Reporter: complexparadox | Owner: tbb-
| team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-9.0-issues, tbb-9.0.1-can, tbb- | Actual Points:
regression, TorBrowserTeam201911 |
Parent ID: | Points: 2
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by gk):
Replying to [comment:12 acat]:
> BTW, I mentioned this issue in the uplift meeting, and tom did not see
any problem with just reverting the
https://bugzilla.mozilla.org/show_bug.cgi?id=1503736 patch and go to the
previous esr60 behaviour. It's not clear why that change was done.
Maybe the authors of the path
[https://tools.ietf.org/html/rfc6454#section-7.3 read]
{{{
Whenever a user agent issues an HTTP request from a "privacy-
sensitive" context, the user agent MUST send the value "null" in the
Origin header field.
}}}
and arguably .onion sites could be seen as a privacy-sensitive context.
Now, the question is whether we could just avoid stripping the header and
set it to "null" instead?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32255#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list