[tbb-bugs] #32255 [Applications/Tor Browser]: Missing ORIGIN header breaks CORS in Tor Browser 9.0
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Nov 1 07:48:35 UTC 2019
#32255: Missing ORIGIN header breaks CORS in Tor Browser 9.0
-------------------------------------------------+-------------------------
Reporter: complexparadox | Owner: tbb-
| team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-9.0-issues, tbb-9.0.1-can, tbb- | Actual Points:
regression, TorBrowserTeam201910 |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by gk):
Hm! The idea behind the pref was avoiding information leakage when coming
from an .onion domain while requesting a non-onion one. See: #22320 for a
scenario.
The patch that got uplifted
(https://bugzilla.mozilla.org/show_bug.cgi?id=1305144) strips the Referer
header if the domain in that header would be a .onion one (it does not
matter whether the target domain is a .onion or not)
So, the question here is: should the Origin header follow that model to
prevent information leakage or is the usecase a different one (or better:
are there use-cases that are different enough from the Referer one that we
need a more nuanced approach here)?
I am not sure yet, to be honest.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32255#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list