[tor-bugs] #32255 [Applications/Tor Browser]: Missing ORIGIN header breaks CORS in Tor Browser 9.0
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Nov 7 19:28:43 UTC 2019
#32255: Missing ORIGIN header breaks CORS in Tor Browser 9.0
-------------------------------------------------+-------------------------
Reporter: complexparadox | Owner: tbb-
| team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-9.0-issues, tbb-9.0.1-can, tbb- | Actual Points:
regression, TorBrowserTeam201911 |
Parent ID: | Points: 2
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by gk):
Hm,
{{{
+ if (!currentOrgin.EqualsIgnoreCase(origin.get()) &&
+ StringEndsWith(potentialOnionHost, NS_LITERAL_CSTRING(".onion")))
{
+ origin.Truncate();
+ }
+ }
+
rv = http->SetRequestHeader(nsDependentCString(net::nsHttp::Origin),
origin, false);
NS_ENSURE_SUCCESS(rv, rv);
}}}
and
{{{
+ if (!origin.EqualsIgnoreCase(currentOrigin.get())) {
+ // Origin header is suppressed by .onion
+ return;
+ }
+ }
}
rv = mRequestHead.SetHeader(nsHttp::Origin, origin, false /* merge
*/);
}}}
does not even seem to be the same behavior depending on whether the code
takes the `nsHttpChannel` or the `nsCORSListenerProxy` path or am I
missing something here?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32255#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list