Closed
Description
If a cross-origin request originates from a .onion service, we should match the Tor Browser behavior and:
- omit the
Refererheader - send a value of
nullfor theOriginheader whenever present (e.g. in the case of aPOSTrequest)
Same-origin requests should follow our normal referrer policy.
Test page: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html