Closed Bug 1598647 Opened 2 years ago Closed 2 years ago

Set Origin to null with network.http.referer.hideOnionSource

Categories

(Core :: DOM: Security, enhancement, P2)

enhancement

Tracking

()

RESOLVED FIXED
mozilla72
Tracking Status
firefox72 --- fixed

People

(Reporter: acat, Assigned: acat)

Details

(Whiteboard: [tor 32255][domsecurity-active])

Attachments

(2 files)

Bug 1503736 removed the Origin headers from cross-origin requests coming from .onion when network.http.referer.hideOnionSource is enabled. In Tor Browser we changed that to Origin: null as we believe it's closer to spec. In https://tools.ietf.org/html/rfc6454#section-7.3 it says

Whenever a user agent issues an HTTP request from a "privacy-
sensitive" context, the user agent MUST send the value "null" in the
Origin header field.

And in the newer fetch spec, even though it does not mention "privacy-sensitive" contexts, the Origin is also set to null when the Referer is not sent.

The ticket in Tor is https://trac.torproject.org/projects/tor/ticket/32255.

Assignee: nobody → acat
Whiteboard: [tor 32255]
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: -- → P2
Whiteboard: [tor 32255] → [tor 32255][domsecurity-active]
Pushed by csabou@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/af2c6b5255e9
Set Origin to null with network.http.referer.hideOnionSource r=JuniorHsu
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
Pushed by dluca@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8d54e39d7cde
Set Origin to null with network.http.referer.hideOnionSource r=JuniorHsu
You need to log in before you can comment on or make changes to this bug.