When connecting to the website of Whonix documentation, including its hidden service, a request is made to “https://whonix.report-uri.com”.
This can be seen in the Network tab of Tor Browser’s Web Developer Tools.

The headers are as follows:

Status		429
No Reason 	Phrase
Version		HTTP/2
Transferred	1.07 KB (11 B size)

cf-ray: `unique value redacted`
cf-request-id: `unique value redacted`
content-length: 11
content-type: text/plain
date: Tue, 22 Dec 2020 `unique timestamp redacted` GMT
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
nel: {"report_to":"default","max_age":3600,"include_subdomains":true,"failure_fraction":0.00001}
report-to: {"group":"default","max_age":3600,"endpoints":[{"url":"https://scotthelme.report-uri.com/a/d/g"}],"include_subdomains":true}
server: cloudflare
set-cookie: __cfduid=`unique value redacted`; expires=Thu, 21-Jan-21 `unique timestamp redacted` GMT; path=/; domain=.report-uri.com; HttpOnly; SameSite=Lax; Secure
set-cookie: __cf_bm=`unique value redacted`=; path=/; expires=Tue, 22-Dec-20 `unique timestamp redacted` GMT; domain=.report-uri.com; HttpOnly; Secure; SameSite=None
strict-transport-security: max-age=`unique value redacted`; includeSubDomains; preload
vary: Accept-Encoding
X-Firefox-Spdy: h2

Why does this happen? This does not seem like behavior intended by Whonix™ developers.
It is a problem because:

  1. It connects to a third party (Cloudflare?), leaking that a connection has been made to whonix.org and the time when connections were made.
  2. It sets a unique cookie and a request is made with unique values every time any page of the documentation is opened, leaking to the third party: all the pages of the documentation visited by the user in this single session.
  3. It makes a connection to a clearweb website even when Whonix’s hidden service was used.

It does not happen on the forum or other parts of the Whonix website (to my knowledge), only the documentation.
Please resolve the issue.

Related to:

CSP violations reporting because of Content-Security-Policy header. I was setting up Expect-CT, Network_Error_Logging (NEL) and report-to security headers.

I see. Reporting to third party is bad. Open Source self-hosting doesn’t exist (and may in part not be possible, reporting potential TLS issues to the source) (yet?). (Will look into self-hosting but might be too much effort.) Therefore disabled just now.

Trusting the Whonix ™ Website

I see. Thank you for the explanation.
The potential benefit probably is not worth making connections to third party.
As a consideration hidden service also should not need it because there is no TLS.

Only the Expect-CT part is relevant for TLS, irrelevant for onion
service. The other security headers are equally relevant for the onion