Omit referrers on cross-origin requests from an .onion address

fmarier commented 3 years ago

This is to address #155.

annevk commented 3 years ago

https://github.com/whatwg/fetch/pull/1351 proposes similar language. Do we expect many other places to need this? If we find a third it probably warrants abstraction.

fmarier commented 3 years ago

Do we expect many other places to need this? If we find a third it probably warrants abstraction.

The only other special treatment of .onion I could see in Firefox has to do with treating .onion services over HTTP as a secure context, which we are also planning to do in Brave.

domfarolino commented 2 years ago

This has been sitting for a while now with no activity (partially because I've failed to review it, but that's mostly because I haven't seen much activity in terms of consensus on the other related issues). I've tried to round up all of the related web platform .onion issues and PRs:

It seems like the Fetch issue is stalled on feedback that hasn't come in, and perhaps also stalled on general consensus for this from other browsers. Would you mind if I closed this or marked it as a draft until some of the consensus around handling .onion in web specs gets sorted out, and we can go from there? Let me know if you have plans to still work on this.

fmarier commented 2 years ago

You can also add https://github.com/brave/brave-browser/issues/18071 if you want (that's the Brave issue where we implemented this in order to match the Tor Browser behavior).

Marking it as draft makes sense. I do intend to pick this up again since I think it would be worthwhile to agree on what the correct behavior should be and/or standardize what the two browser with built-in support for Tor already ship.

domfarolino commented 8 months ago

(This is showing up in my active review requests on GitHub, so I'll remove myself for now while this is parked as a draft)

w3c / webappsec-referrer-policy

Omit referrers on cross-origin requests from an .onion address #156