shafemtol on Nostr: Regarding referrer, browsers send the `Origin` header on WebSocket connections, ...
Regarding referrer, browsers send the `Origin` header on WebSocket connections, revealing the domain name of the client app. Other resources can be loaded without referrer/origin through `Referrer-Policy`. This does not affect the WebSocket `Origin` header.
I did some testing and found a trick: Put the WebSocket client in a sandboxed iframe.
Demo here: https://sha.femtol.net/dev-tests/ws-origin/iframe-sandbox.html (use the browser's network console).
Tested and works on both Firefox and Chromium. It might not work on older Firefox browsers, though.
I did some testing and found a trick: Put the WebSocket client in a sandboxed iframe.
Demo here: https://sha.femtol.net/dev-tests/ws-origin/iframe-sandbox.html (use the browser's network console).
Tested and works on both Firefox and Chromium. It might not work on older Firefox browsers, though.