[tor-bugs] #32255 [Applications/Tor Browser]: Missing ORIGIN header breaks CORS in Tor Browser 9.0
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Oct 24 10:00:51 UTC 2019
#32255: Missing ORIGIN header breaks CORS in Tor Browser 9.0
----------------------------+------------------------------------------
Reporter: complexparadox | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Component: Applications/Tor Browser
Version: | Severity: Blocker
Keywords: cors | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
----------------------------+------------------------------------------
Looks like there is an issue on Tor Browser 9.0 which affects our CORS
allowance setup, at least with the dependency django-cors-headers, because
it fails to send the expected header ORIGIN in the OPTIONS preflight. It
works fine using the latest 8 version. We've noticed this only happens
when the CORS request source is a .onion address, otherwise it works as
usual.
Example:
public.com XHR OPTIONS >> publicapi.com (ORIGIN HEADER INCLUDED, WORKS)
hidden.onion XHR OPTIONS >> publicapi.com (MISSING ORIGIN HEADER, BREAKS)
hidden.onion XHR OPTIONS >> hiddenapi.onion (MISSING ORIGIN HEADER,
BREAKS)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32255>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list