New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[hackerone] Strip referrer and origin in cross-origin requests from a .onion origin
#18071
Comments
.onion origin.onion origin
|
hackerone issue: https://hackerone.com/reports/1337624 (credit: kkarfalcon) |
|
I updated https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)/_compare/1ae15b494ba87516f0afe85d5ddf0303bb9e5018...f31accf2c951fefa6e07b623277c007e3d87b1b3 for the referrer changes introduced here. |
|
Verification
Sub-resources
|
|
Verification
Sub-resources
|
















































If a cross-origin request originates from a
.onionservice, we should match the Tor Browser behavior and:Refererheadernullfor theOriginheader whenever present (e.g. in the case of aPOSTrequest)Same-origin requests should follow our normal referrer policy.
Test page: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html
The text was updated successfully, but these errors were encountered: