#32255: Missing ORIGIN header breaks CORS in Tor Browser 9.0 ----------------------------+------------------------------------------ Reporter: complexparadox | Owner: tbb-team Type: defect | Status: new Priority: Medium | Component: Applications/Tor Browser Version: | Severity: Blocker Keywords: cors | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: ----------------------------+------------------------------------------ Looks like there is an issue on Tor Browser 9.0 which affects our CORS allowance setup, at least with the dependency django-cors-headers, because it fails to send the expected header ORIGIN in the OPTIONS preflight. It works fine using the latest 8 version. We've noticed this only happens when the CORS request source is a .onion address, otherwise it works as usual.
Example: public.com XHR OPTIONS >> publicapi.com (ORIGIN HEADER INCLUDED, WORKS) hidden.onion XHR OPTIONS >> publicapi.com (MISSING ORIGIN HEADER, BREAKS) hidden.onion XHR OPTIONS >> hiddenapi.onion (MISSING ORIGIN HEADER, BREAKS) -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32255> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs