-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[hackerone] Strip referrer and origin in cross-origin requests from a .onion
origin
#18071
Comments
.onion
origin.onion
origin
hackerone issue: https://hackerone.com/reports/1337624 (credit: kkarfalcon) |
I updated https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)/_compare/1ae15b494ba87516f0afe85d5ddf0303bb9e5018...f31accf2c951fefa6e07b623277c007e3d87b1b3 for the referrer changes introduced here. |
Verification
Sub-resources
|
Verification
Sub-resources
|
If a cross-origin request originates from a
.onion
service, we should match the Tor Browser behavior and:Referer
headernull
for theOrigin
header whenever present (e.g. in the case of aPOST
request)Same-origin requests should follow our normal referrer policy.
Test page: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html
The text was updated successfully, but these errors were encountered: