Omit referrers on cross-origin requests from an .onion address (fixes w…

…3c#155)
fmarier · Nov 10, 2021 · 88c03a3 · 88c03a3
1 parent bbc7291
commit 88c03a3
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/index.src.html b/index.src.html
@@ -850,6 +850,13 @@ <h3 id="determine-requests-referrer" dfn export>
       Let request's <dfn>referrerURL</dfn> be the result of <a href="#strip-url">stripping
       <var>referrerSource</var> for use as a referrer.</a>
     </li>
+    <li>
+      If the <a for=url>origin</a> of <a>referrerURL</a> has a <a for=origin>host</a> that
+      ends with <code>.onion</code> or <code>.onion.</code>, the special-use domain name defined
+      in [[!RFC7686]], and that <a for=url>origin</a> is not <a lt="same origin">the same</a> as
+      the <a for=url>origin</a> of <var>request</var>'s <a for=request>current URL</a>, then
+      return <code>no referrer</code>.
+    </li>
     <li>
       Let <var>referrerOrigin</var> be the result of
       <a href="#strip-url">stripping <var>referrerSource</var> for use as a