Skip to content

[hackerone] Strip referrer and origin in cross-origin requests from a .onion origin #18071

Closed
brave/brave-core
#10760
@fmarier

Description

If a cross-origin request originates from a .onion service, we should match the Tor Browser behavior and:

  • omit the Referer header
  • send a value of null for the Origin header whenever present (e.g. in the case of a POST request)

Same-origin requests should follow our normal referrer policy.

Test page: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html

Metadata

Assignees

Type

No type

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions