-
Notifications
You must be signed in to change notification settings - Fork 339
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Send "null" Origin headers on cross-origin requests from an RFC7686 address #1350
Comments
Thanks for raising this. There's also #248 which we could address now I think (although I'm not familiar with the details). |
Yeah, I'm not too sure exactly where that should be addressed in Fetch. I'm also not familiar with how it's implemented in Firefox. |
If I understand the proposal correctly, this would have the effect of disabling meaningful access controls for resources that A weaker version of this proposal would apply the restriction to no-cors requests, but not to CORS requests (similar conceptually to the |
That's a good point. It seems indeed like an unfortunate side-effect of the current implementation in Tor Browser. My understanding of what Tor Browser is trying to protect here is an Onion service accidentally leaking its identity via linking to or embedding cross-origin resources. If we limited this new restriction to no-CORS requests, then the only case of accidental leakage I can think of would be Onion services using an anonymous CORS request in order to use subresource integrity with |
I'm happy to file implementation bugs and work on the tests, but before that, I'd like to know whether that's a change that Chrome and Firefox (others?) would be willing to make. (I would also be happy to work on upstreaming the Brave changes to Chromium.) Is @mikewest 's suggestion (only touching |
Some developers do seem to expect that CORS would include
Coupled with the fact that depending on CORS is quite easy (e.g., using a cross-site library for a font), I don't think we want it to leak by default. Having said that, I could imagine supporting some kind of policy for this for I'd additionally like to solicit feedback from those more closely involved with (Aside: I think it's also a bug in Tor Browser and possibly Firefox therefore that a ` |
The special-use
.onion
domain name, defined in RFC7686, receives special treatment in the Tor browser and in Firefox: https://searchfox.org/mozilla-central/rev/6c8d325e61b0b445ed2e04899da38c3a4c266cba/netwerk/protocol/http/nsCORSListenerProxy.cpp#979-984It seems like this behavior should be standardized since any browser could be setup to proxy traffic over the Tor SOCKS5 proxy.
I also filed an issue against the Referrer Policy spec to address the Referrer header.
The text was updated successfully, but these errors were encountered: