CORS header 'Access-Control-Allow-Origin' missing
It seems Tor Browser sometimes strips the Access-Control-Allow-Origin header. I ran into the issue when using Globe. When the header is stripped the browser console contains the warning
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://onionoo.torproject.org/details?lookup=299F0933E93B6571ED1CB3D52090E6E13D62427C. (Reason: CORS header 'Access-Control-Allow-Origin' missing).
The reasons why i believe Tor Browser is the cause are
- Onionoo explicitly sets the header.
- Responses from direct requests to an Onionoo resource using Tor Browser sometimes do not show the header in the Network Monitor.
- Responses from direct requests to the same Onionoo resource using curl consistently contain the header.