Send "null" Origin header on cross-origin .onion requests

[fmarier]

Fixes #1350.

• [x] At least two implementers are interested (and none opposed):
  • Firefox (off by default) / Tor Browser (on by default)
  • Brave
• [ ] Tests are written and can be reviewed and commented upon at:
  • …
• [ ] Implementation bugs are filed:
  • Chrome: …
  • Firefox: …
  • Safari: …

(See WHATWG Working Mode: Changes for more details.)

---

Preview | Diff

[domenic]

The other big remaining thing here is making sure this would be on track to become a part of the interoperable web, via implementation (on by default) in WebKit/Gecko/Chromium.

[fmarier]

making sure this would be on track to become a part of the interoperable web

Yes and trying to see whether there's agreement on the correct way to handle these was the reason I created these PRs in the first place.

In the short term, Brave is going to match what the Tor Browser is doing, but ideally we'd like to see if we can align with the browsers that don't bundle Tor directly.

[fmarier]

whether this should be optional somehow or conditional upon .onion support

On this specific point, I would suggest the answer is no, it should be always ON because there's no easy way for the browser to know that the SOCKS5 proxy it's using is the Tor daemon.