[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #32865 [Applications/Tor Browser]: Setting Origin: null header still breaks CORS in Tor Browser 9.5
#32865: Setting Origin: null header still breaks CORS in Tor Browser 9.5
--------------------------------------+--------------------------
Reporter: micahlee | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by alecmuffett):
This strikes me as a farily fundamental question: Tor Browser in this
instance is intentionally not following web standards behaviour in order
to protect the "privacy of existence" / secrecy of given onion sites or
pages. Questions for the TBB team include whether this non-standard
behaviour will be plausibly copied (mandated?) in other browsers that
implement onion networking, and how practical it is to assume that
any/every onion site's threat model includes by-default privacy/secrecy,
thereby breaking onions for (e.g.) TheIntercept and who knows whom else in
future?
Making broad assumptions of "intent" at layer 7, on the basis of layer 3,
will continue to have unexpected consequences as Onion networking is more
generally adopted.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32865#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs