[tbb-bugs] #32865 [Applications/Tor Browser]: Setting Origin: null header still breaks CORS in Tor Browser 9.5

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Jan 3 18:24:03 UTC 2020


#32865: Setting Origin: null header still breaks CORS in Tor Browser 9.5
--------------------------------------+--------------------------
 Reporter:  micahlee                  |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by alecmuffett):

 Replying to [comment:4 gk]:
 > Huh! We _are_ following web standards here. You might enjoy reading:
 https://tools.ietf.org/html/rfc6454#section-7.3. I'll quote the relevant
 part for you:
 > {{{
 > Whenever a user agent issues an HTTP request from a "privacy-
 > sensitive" context, the user agent MUST send the value "null" in the
 > Origin header field.
 > }}}
 > Note the `MUST` here. I think assuming that .onion sites are privacy-
 sensitive is a good default, as well.

 I stand corrected re: the text, but I differ on the presumption that all
 ".onion" sites are privacy-sensitive by default; because (apart from
 anything else) that you describe this as a "default" suggests there is a
 way to override the behaviour.

 I am not aware of a way for a website to declare to Tor Browser, that it
 should override this behaviour? Am I again wrong?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32865#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list