Skip to content

Missing ORIGIN header breaks CORS in Tor Browser 9.0

Looks like there is an issue on Tor Browser 9.0 which affects our CORS allowance setup, at least with the dependency django-cors-headers, because it fails to send the expected header ORIGIN in the OPTIONS preflight. It works fine using the latest 8 version. We've noticed this only happens when the CORS request source is a .onion address, otherwise it works as usual.

Example:

public.com XHR OPTIONS >> publicapi.com (ORIGIN HEADER INCLUDED, WORKS) hidden.onion XHR OPTIONS >> publicapi.com (MISSING ORIGIN HEADER, BREAKS) hidden.onion XHR OPTIONS >> hiddenapi.onion (MISSING ORIGIN HEADER, BREAKS)

Trac:
Username: complexparadox

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information