What is Nostr?
shafemtol /
npub1mh9…nahj
2023-02-28 16:10:48
in reply to nevent1q…d6z2

shafemtol on Nostr: Regarding referrer, browsers send the `Origin` header on WebSocket connections, ...

Regarding referrer, browsers send the `Origin` header on WebSocket connections, revealing the domain name of the client app. Other resources can be loaded without referrer/origin through `Referrer-Policy`. This does not affect the WebSocket `Origin` header.

I did some testing and found a trick: Put the WebSocket client in a sandboxed iframe.

Demo here: https://sha.femtol.net/dev-tests/ws-origin/iframe-sandbox.html (use the browser's network console).

Tested and works on both Firefox and Chromium. It might not work on older Firefox browsers, though.
Author Public Key
npub1mh94j7j7nwvzl7kwcg70fhxe67kdy50fccakmueq9jjf77zmc25svanahj