[tor-dev] UX improvement proposal: Onion auto-redirects using Alt-Svc HTTP header
Iain Learmonth
irl at torproject.org
Fri Jul 13 19:23:41 UTC 2018
Hi,
On 13/07/18 16:24, Tom Ritter wrote:
> Ah, that makes sense. You want /foo.html to serve an Onion-Location
> that goes to /foo.html
Exactly! But I might also want that /foo/bar.html goes to /bar.html on
the onion service while /baz/bar.html goes to /bar.html on another onion
service. Otherwise I don't think we can claim that the Onion-Location
header is similar to the Location header.
> But you're saying you did this manually for each file? I guess I
> hadn't thought about how I would implement this (for Apache)... http
> -> https redirection is done with mod_write, typically something like
My personal website is currently hosted by Netlify. They allow you to
provide a file that is used to send custom headers on a per-URL basis.
https://www.netlify.com/docs/headers-and-basic-auth/
I've attached the script I'm using for this. It's a manual step in that
I have to run the script. I could probably automate it if I learnt a
little more Hugo.
> I don't mess with Apache/mod_rewrite much, but surely there's a way to
> write out the Onion-Location header with the supplied path/querystring
> automatically?
I would imagine there are ways to configure this, but I don't know what
they are.
> I agree that if a Location header is present, the browser should
> follow it immediately. If the subsequent location has an
> Onion-Location header (and no Location header) then the browser should
> prompt.
This sounds reasonable.
> Location is a non-prompt, non-negotiable redirect.
> Onion-Location is a prompted, user-chosen redirect.
>
> The only question in my mind is if the user has opted in to always
> following Onion-Location redirects, then the question is: which header
> do you follow? And I would suggest Onion-Location although I don't
> have a strong argument for that choice besides "It's our feature, we
> should give it precedence."
I think in this case, I would prefer to follow the Onion-Location header
first, as the user has chosen to make the usability trade-off for
security by enabling the automatic redirects.
Would it be worthwhile for me to write some text to this effect as a
patch for the proposal document?
Thanks,
Iain.
-------------- next part --------------
#!/usr/bin/zsh
hugo
find public | \
grep index.html | \
sed 's/^public//' | \
sed 's/index.html$//' | \
awk '{ print $0 "\n Onion-Location: http://tvin5bvfwew3ldttg5t6ynlif4t53y3mbmb7sgbyud7h5q6gblrpsnyd.onion" $0 }' \
> static/_headers
# Limited compatibility with Healthy Onions add-on
sed -i 's,^ Onion-Location: http://tvin5bvfwew3ldttg5t6ynlif4t53y3mbmb7sgbyud7h5q6gblrpsnyd.onion/$, Onion-Location: http://tvin5bvfwew3ldttg5t6ynlif4t53y3mbmb7sgbyud7h5q6gblrpsnyd.onion,' static/_headers
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20180713/d4d23345/attachment-0001.sig>
More information about the tor-dev
mailing list