- From: Francois Marier <notifications@github.com>
- Date: Tue, 23 Nov 2021 23:08:09 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1351/review/814496939@github.com>
@fmarier commented on this pull request. > @@ -2820,6 +2823,11 @@ given a <a for=/>request</a> <var>request</var>, run these steps: <li><p>Let <var>serializedOrigin</var> be the result of <a>byte-serializing a request origin</a> with <var>request</var>. + <li><p>If <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a>'s + <a for=origin>host</a> ends with "<code>.onion</code>" or "<code>.onion.</code>", and + is not <a>same origin</a> with <var>request</var>'s <a for=request>origin</a>, then set + <var>serializedOrigin</var> to `<code>null</code>`. [[ONION]] > So the user navigates to the starting origin? Yes, that's correct. However, I just realized that I made a mistake in my description of the test cases, which probably threw you off. What I meant was: 1. Navigate to `example.onion/index.html`. 2. Submit form (POST) to `example.onion/another.html`. 3. `example.onion/another.html` is a 307 redirect to `example.com`. 4. You end up on `example.com` with a `null` `Origin` header. The second test case is: 1. Navigate to `example.onion/index.html`. 2. Submit form (POST) to `example.com`. 3. `example.com` is a 307 redirect to `example.onion/another.html`. 4. You end up on `example.onion/another.html` with a `null` `Origin` header. I had the same expectations as you (regarding the `example.com` tainting due to the redirect) and that's what I implemented in Brave, but Tor Browser returns an `Origin` of `example.onion` in the second case. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1351#discussion_r755751704
Received on Wednesday, 24 November 2021 07:08:23 UTC