Re: [whatwg/fetch] Send "null" Origin header on cross-origin .onion requests (PR #1351) from Anne van Kesteren on 2021-11-09 (public-webapps-github@w3.org from November 2021)

From: Anne van Kesteren <notifications@github.com>
Date: Tue, 09 Nov 2021 02:01:30 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1351/review/801070873@github.com>

@annevk commented on this pull request.



> @@ -2820,6 +2823,11 @@ given a <a for=/>request</a> <var>request</var>, run these steps:
  <li><p>Let <var>serializedOrigin</var> be the result of <a>byte-serializing a request origin</a>
  with <var>request</var>.
 
+ <li><p>If <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a> uses the
+ <code>.onion</code> special-use domain name [[ONION]] and is not <a>same origin</a> with
+ <var>request</var>'s <a for=request>origin</a>, then set <var>serializedOrigin</var> to
+ `<code>null</code>`.

This should have a similar comparison with origin's host as is done in https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy for "`localhost`". I guess we care about ends with "`.onion`" or "`.onion.`", but not sure.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1351#pullrequestreview-801070873

Received on Tuesday, 9 November 2021 10:02:36 UTC