- From: Anne van Kesteren <notifications@github.com>
- Date: Tue, 23 Nov 2021 01:42:06 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/1350/976337800@github.com>
Some developers do seem to expect that CORS would include `.onion` domain details: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/32865 (thanks @valenting for finding that!). But, having discussed this a bit with @tomrittervg it's not clear to me that's the way to go. Leaking `.onion` domains to other sites has these risks: 1. It reveals the `.onion` domain exists. `.onion` domains are a lot like capability URLs and some are definitely meant to stay secret as I understand it. 2. It reveals the user uses `.onion` domains. (I'm not sure this is a problem on its own, especially with newish state partitioning behavior.) Coupled with the fact that depending on CORS is quite easy (e.g., using a cross-site library for a font), I don't think we want it to leak by default. Having said that, I could imagine supporting some kind of policy for this for `.onion` domains that self-declare in some manner that they are not secret. But it seems that should be a follow-up, if anything. I'd additionally like to solicit feedback from those more closely involved with `.onion`. @sysrqb @alecmuffett perhaps you could comment as to whether this seems reasonable? (Aside: I think it's also a bug in Tor Browser and possibly Firefox therefore that a \``null`\` origin and credentials does not work. At least per https://fetch.spec.whatwg.org/#cors-check that is fine.) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1350#issuecomment-976337800
Received on Tuesday, 23 November 2021 09:42:19 UTC