[tor-bugs] #32865 [Applications/Tor Browser]: Setting Origin: null header still breaks CORS in Tor Browser 9.5

[Tor Bug Tracker & Wiki]

#32865: Setting Origin: null header still breaks CORS in Tor Browser 9.5
--------------------------------------+--------------------------
 Reporter:  micahlee                  |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by gk):

 Replying to [comment:3 alecmuffett]:
 > This strikes me as a farily fundamental question: Tor Browser in this
 instance is intentionally not following web standards behaviour in order
 to protect the "privacy of existence" / secrecy of given onion sites or
 pages.

 Huh! We _are_ following web standards here. You might enjoy reading:
 https://tools.ietf.org/html/rfc6454#section-7.3. I'll quote the relevant
 part for you:
 {{{
 Whenever a user agent issues an HTTP request from a "privacy-
 sensitive" context, the user agent MUST send the value "null" in the
 Origin header field.
 }}}
 Note the `MUST` here. I think assuming that .onion sites are privacy-
 sensitive is a good default, as well.

 Then there is https://fetch.spec.whatwg.org/#origin-header you might enjoy
 as well. (No referer boils actually down to Origin: null as well)

 Actually, the discussion in #32255 might be useful, too, where we fixed
 Mozilla's bogus behavior.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32865#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online