[tor-bugs] #32865 [Applications/Tor Browser]: Setting Origin: null header still breaks CORS in Tor Browser 9.5
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Jan 3 10:49:04 UTC 2020
#32865: Setting Origin: null header still breaks CORS in Tor Browser 9.5
--------------------------------------+--------------------------
Reporter: micahlee | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by alecmuffett):
This strikes me as a farily fundamental question: Tor Browser in this
instance is intentionally not following web standards behaviour in order
to protect the "privacy of existence" / secrecy of given onion sites or
pages. Questions for the TBB team include whether this non-standard
behaviour will be plausibly copied (mandated?) in other browsers that
implement onion networking, and how practical it is to assume that
any/every onion site's threat model includes by-default privacy/secrecy,
thereby breaking onions for (e.g.) TheIntercept and who knows whom else in
future?
Making broad assumptions of "intent" at layer 7, on the basis of layer 3,
will continue to have unexpected consequences as Onion networking is more
generally adopted.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32865#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list