- From: Francois Marier <notifications@github.com>
- Date: Fri, 19 Nov 2021 16:22:29 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1351/review/811769851@github.com>
@fmarier commented on this pull request. > @@ -2820,6 +2823,11 @@ given a <a for=/>request</a> <var>request</var>, run these steps: <li><p>Let <var>serializedOrigin</var> be the result of <a>byte-serializing a request origin</a> with <var>request</var>. + <li><p>If <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a>'s + <a for=origin>host</a> ends with "<code>.onion</code>" or "<code>.onion.</code>", and + is not <a>same origin</a> with <var>request</var>'s <a for=request>origin</a>, then set + <var>serializedOrigin</var> to `<code>null</code>`. [[ONION]] I've got these two no-cors manual test cases on my [test page](http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html) (you can also see it at http://fmarier.com/referrer/onion.html though it's meant to run from a `.onion`) : - `example.onion` --307--> `example.onion` --307--> `example.com` - `example.onion` --307--> `example.com` --307--> `example.onion` For the first one, both Brave and Tor Browser send a `null` origin (and omit the referrer for that matter). For the second one, however, Brave sends a `null` origin but the Tor browser sends the full Origin in that case. I think a `null` Origin is the desired behavior here? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1351#discussion_r753603469
Received on Saturday, 20 November 2021 00:22:42 UTC