Closed
Bug 1598647
Opened 5 years ago
Closed 5 years ago
Set Origin to null with network.http.referer.hideOnionSource
Categories
(Core :: DOM: Security, enhancement, P2)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla72
Tracking | Status | |
---|---|---|
firefox72 | --- | fixed |
People
(Reporter: acat, Assigned: acat)
Details
(Whiteboard: [tor 32255][domsecurity-active])
Attachments
(2 files)
Bug 1503736 removed the Origin headers from cross-origin requests coming from .onion when network.http.referer.hideOnionSource
is enabled. In Tor Browser we changed that to Origin: null
as we believe it's closer to spec. In https://tools.ietf.org/html/rfc6454#section-7.3 it says
Whenever a user agent issues an HTTP request from a "privacy-
sensitive" context, the user agent MUST send the value "null" in the
Origin header field.
And in the newer fetch
spec, even though it does not mention "privacy-sensitive" contexts, the Origin
is also set to null
when the Referer
is not sent.
The ticket in Tor is https://trac.torproject.org/projects/tor/ticket/32255.
Assignee | ||
Comment 1•5 years ago
|
||
Updated•5 years ago
|
Assignee: nobody → acat
Updated•5 years ago
|
Whiteboard: [tor 32255]
Updated•5 years ago
|
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: -- → P2
Whiteboard: [tor 32255] → [tor 32255][domsecurity-active]
Pushed by csabou@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/af2c6b5255e9
Set Origin to null with network.http.referer.hideOnionSource r=JuniorHsu
Comment 3•5 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox72:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
Assignee | ||
Comment 4•5 years ago
|
||
Fix comment.
Pushed by dluca@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8d54e39d7cde
Set Origin to null with network.http.referer.hideOnionSource r=JuniorHsu
Comment 6•5 years ago
|
||
bugherder |
You need to log in
before you can comment on or make changes to this bug.
Description
•