[tor-bugs] #25482 [- Select a component]: Origin header sent from hidden service to clearnet websites

[Tor Bug Tracker & Wiki]

#25482: Origin header sent from hidden service to clearnet websites
--------------------------------------+--------------------
     Reporter:  kkm                   |      Owner:  (none)
         Type:  defect                |     Status:  new
     Priority:  Medium                |  Milestone:
    Component:  - Select a component  |    Version:
     Severity:  Normal                |   Keywords:
Actual Points:                        |  Parent ID:
       Points:                        |   Reviewer:
      Sponsor:                        |
--------------------------------------+--------------------
 When browsing hidden service on Tor browser like
 `https://www.nytimes3xbfgragh.onion/`, XHR and fetch calls on this service
 to clear net websites/services like
 (https://securepubads.g.doubleclick.net) sends the name of hidden service
 in `origin` header.

 Given that Tor browser ensures that referrer are not sent from .onion to
 clearnet(https://trac.torproject.org/projects/tor/ticket/9623), not sure
 how big of an issue is XHR / fetch requests sending Origin header.

 Note:
 1. Would be worth checking, if not sending `Origin` header, breaks some
 functionality.
 2. Origin header is always capped to domain level. So in this case the
 service will not now the exact URL on hidden service, but at least will
 learn the hidden service name.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25482>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online