Send "null" Origin header on cross-origin .onion requests

Fixes #1350.
whatwg · Nov 10, 2021 · 1f75092 · 1f75092
1 parent 3ecab20
commit 1f75092
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/fetch.bs b/fetch.bs
@@ -111,6 +111,9 @@ urlPrefix:https://w3c.github.io/hr-time/#;spec:hr-time
         "href": "https://datatracker.ietf.org/doc/html/draft-ietf-masque-h3-datagram",
         "publisher": "IETF",
         "title": "Using QUIC Datagrams with HTTP/3"
+    },
+    "ONION": {
+        "aliasOf": "RFC7686"
     }
 }
 </pre>
@@ -2820,6 +2823,11 @@ given a <a for=/>request</a> <var>request</var>, run these steps:
  <li><p>Let <var>serializedOrigin</var> be the result of <a>byte-serializing a request origin</a>
  with <var>request</var>.
 
+ <li><p>If <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a>'s
+ <a for=origin>host</a> ends with the <code>.onion</code> special-use domain name [[ONION]] and
+ is not <a>same origin</a> with <var>request</var>'s <a for=request>origin</a>, then set
+ <var>serializedOrigin</var> to `<code>null</code>`.
+
  <li><p>If <var>request</var>'s <a for=request>response tainting</a> is "<code>cors</code>" or
  <var>request</var>'s <a for=request>mode</a> is "<code>websocket</code>", then
  <a for="header list">append</a> (`<code>Origin</code>`, <var>serializedOrigin</var>) to