Skip to content

Commit

Permalink
Send "null" Origin header on cross-origin .onion requests
Browse files Browse the repository at this point in the history
  • Loading branch information
fmarier committed Nov 10, 2021
1 parent 3ecab20 commit fefa1dc
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions fetch.bs
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,9 @@ urlPrefix:https://w3c.github.io/hr-time/#;spec:hr-time
"href": "https://datatracker.ietf.org/doc/html/draft-ietf-masque-h3-datagram",
"publisher": "IETF",
"title": "Using QUIC Datagrams with HTTP/3"
},
"ONION": {
"aliasOf": "RFC7686"
}
}
</pre>
Expand Down Expand Up @@ -2820,6 +2823,11 @@ given a <a for=/>request</a> <var>request</var>, run these steps:
<li><p>Let <var>serializedOrigin</var> be the result of <a>byte-serializing a request origin</a>
with <var>request</var>.

<li><p>If <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a>'s
<a for=origin>host</a> ends with <code>.onion</code> or <code>.onion.</code> [[ONION]], and
is not <a>same origin</a> with <var>request</var>'s <a for=request>origin</a>, then set
<var>serializedOrigin</var> to `<code>null</code>`.

<li><p>If <var>request</var>'s <a for=request>response tainting</a> is "<code>cors</code>" or
<var>request</var>'s <a for=request>mode</a> is "<code>websocket</code>", then
<a for="header list">append</a> (`<code>Origin</code>`, <var>serializedOrigin</var>) to
Expand Down

0 comments on commit fefa1dc

Please sign in to comment.