#26832: Allow use of https://check.torproject.org/api/ip by content ------------------------------------+------------------------------ Reporter: arthuredelstein | Owner: arlolra Type: defect | Status: needs_review Priority: Medium | Milestone: Component: Applications/Tor Check | Version: Severity: Normal | Resolution: Keywords: | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: ------------------------------------+------------------------------ Description changed by arthuredelstein:
Old description: > I would like to create a page on another domain that demonstrates stream > isolation in Tor Browser. This is the mechanism whereby each website is > downloaded by via a different Tor circuit, but a web page in an iframe is > downloaded via the same Tor circuit as the first party parent document > was. > > Right now, https://check.torproject.org/api/ip cannot be included in > iframes or fetched by a script in a web page. > > So I would like to propose setting > `Access-Control-Allow-Origin: *` > and removing the `X-Frame-Options` header > for this particular endpoint. New description: I would like to create a page on another domain that demonstrates stream isolation in Tor Browser. This is the mechanism whereby each website is downloaded via a different Tor circuit, but a web page in an iframe is downloaded via the same Tor circuit as the first party parent document was. Right now, https://check.torproject.org/api/ip cannot be included in iframes or fetched by a script in a web page. So I would like to propose setting `Access-Control-Allow-Origin: *` and removing the `X-Frame-Options` header for this particular endpoint. -- -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26832#comment:2> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
