From cd00521ca493bfd381b9562edd6ec811077a01a0 Mon Sep 17 00:00:00 2001
From: Marcin Rataj <lidel@lidel.org>
Date: Fri, 29 Jan 2021 22:08:16 +0100
Subject: [PATCH] fix: remove use of Clear-Site-Data

We used Clear-Site-Data to cushion transition period for local gateway
exposed at http://localhost while we were still figuring out
security-related details.

In the final implementation subdomain gateways are not tied to a
hostname explicitly, which removes the risk of cookies leaking,
removing the need for the header.

Turns out it causes issues for Firefox users, so let's just remove it.

Closes https://github.com/ipfs-shipyard/ipfs-companion/issues/977


This commit was moved from ipfs/kubo@d61ae2bcb48be6067acaaa9c0d1c51483f891b0b
---
 gateway/core/corehttp/hostname.go | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/gateway/core/corehttp/hostname.go b/gateway/core/corehttp/hostname.go
index da133f7ab..d4006cb84 100644
--- a/gateway/core/corehttp/hostname.go
+++ b/gateway/core/corehttp/hostname.go
@@ -97,15 +97,6 @@ func HostnameOption() ServeOption {
 							return
 						}
 						if newURL != "" {
-							// Just to be sure single Origin can't be abused in
-							// web browsers that ignored the redirect for some
-							// reason, Clear-Site-Data header clears browsing
-							// data (cookies, storage etc) associated with
-							// hostname's root Origin
-							// Note: we can't use "*" due to bug in Chromium:
-							// https://bugs.chromium.org/p/chromium/issues/detail?id=898503
-							w.Header().Set("Clear-Site-Data", "\"cookies\", \"storage\"")
-
 							// Set "Location" header with redirect destination.
 							// It is ignored by curl in default mode, but will
 							// be respected by user agents that follow