1598647 - Set Origin to null with network.http.referer.hideOnionSource

Status: RESOLVED FIXED

(Core :: DOM: Security, enhancement, P2)

Description

[Alex Catarineu (Tor Browser dev)]

Bug 1503736 removed the Origin headers from cross-origin requests coming from .onion when network.http.referer.hideOnionSource is enabled. In Tor Browser we changed that to Origin: null as we believe it's closer to spec. In https://tools.ietf.org/html/rfc6454#section-7.3 it says

Whenever a user agent issues an HTTP request from a "privacy-
sensitive" context, the user agent MUST send the value "null" in the
Origin header field.

And in the newer fetch spec, even though it does not mention "privacy-sensitive" contexts, the Origin is also set to null when the Referer is not sent.

The ticket in Tor is https://trac.torproject.org/projects/tor/ticket/32255.

Comment 1

[Alex Catarineu (Tor Browser dev)]

Attachment: Bug 1598647 - Set Origin to null with network.http.referer.hideOnionSource

Comment 2

[Pulsebot]

Pushed by csabou@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/af2c6b5255e9
Set Origin to null with network.http.referer.hideOnionSource r=JuniorHsu

Comment 3

[Stefan Hindli [:stefan_hindli]]

https://hg.mozilla.org/mozilla-central/rev/af2c6b5255e9

Comment 4

[Alex Catarineu (Tor Browser dev)]

Attachment: Bug 1598647 - Set Origin to null with network.http.referer.hideOnionSource

Fix comment.

Comment 5

[Pulsebot]

Pushed by dluca@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8d54e39d7cde
Set Origin to null with network.http.referer.hideOnionSource r=JuniorHsu

Comment 6

[Andreea Pavel [:apavel]]

https://hg.mozilla.org/mozilla-central/rev/8d54e39d7cde