#32865: Setting Origin: null header still breaks CORS in Tor Browser 9.5 --------------------------------------+-------------------------- Reporter: micahlee | Owner: tbb-team Type: defect | Status: new Priority: Medium | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: --------------------------------------+--------------------------
Comment (by alecmuffett): This strikes me as a farily fundamental question: Tor Browser in this instance is intentionally not following web standards behaviour in order to protect the "privacy of existence" / secrecy of given onion sites or pages. Questions for the TBB team include whether this non-standard behaviour will be plausibly copied (mandated?) in other browsers that implement onion networking, and how practical it is to assume that any/every onion site's threat model includes by-default privacy/secrecy, thereby breaking onions for (e.g.) TheIntercept and who knows whom else in future? Making broad assumptions of "intent" at layer 7, on the basis of layer 3, will continue to have unexpected consequences as Onion networking is more generally adopted. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32865#comment:3> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs