Re: [tor-bugs] #33705 [Internal Services/Tor Sysadmin Team]: Add header to redirect websites visitors using tor-browser to the .onion address

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#33705: Add header to redirect websites visitors using tor-browser to the .onion
address
-------------------------------------------------+-------------------------
 Reporter:  hiro                                 |          Owner:  hiro
     Type:  defect                               |         Status:
                                                 |  assigned
 Priority:  Medium                               |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:                                       |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Description changed by hiro:

Old description:

> We have received a number of tickets by Tor Browser users that we should
> keep people visiting the .onion version of a website in the .onion space.
>
> I am willing to implement a header that signal the .onion address for all
> of our onions and I am currently considering two options.
>
> 1. Implement alt-svc. This is what facebook does. Specifically the
> browser receive a alt-sv header like:
>
> {{{
> alt-svc:
> h2="facebook2futmrduts5uqn3ahwg4qyqoks6h3alxf5drhsgyhzujyqad.onion:443";
> ma=86400
> }}}
>
> 2. Use onion-location:
>
> {{{
> Onion-Location:
> http://sbe5fi5cka5l3fqe.onion/~acat/test/onionlocation/header/
> }}}
>
> 3. Use a onion-location meta-tag:
>

> {{{
> <!DOCTYPE html>
> <html>
>   <head>
>     <meta http-equiv="onion-location"
> content="http://sbe5fi5cka5l3fqe.onion/~acat/test/onionlocation/meta/"/>
>   </head>
>   <body>
>     Onion-Location meta tag test.
>   </body>
> </html>
> }}}
>
> I would personally prefer to use one of the two headers options. Either
> the alt-sv or the onion-location one. Both have advantages. I like that
> with alt-sv the connection is upgraded to an onion location without the
> address bar changing. At the same time we should also showcase our
> onions! And if we launch the onion-location header support we should show
> it on our websites.
>
> Something I would avoid is following the model that Privacy International
> use, and issue a "Location:" redirect when the client comes from an exit
> node. We currently do not check in our infrastructure where a user is
> coming from and I wouldn't like to start doing that.

New description:

 We have received a number of tickets by Tor Browser users that we should
 keep people visiting the .onion version of a torproject.org website in the
 .onion space. Instead because we have different subdomains for different
 websites a user surfing the onion version of torproject.org will be taken
 to support.torproject.org instead of its onion address.

 I am willing to implement a header that signal the .onion address for all
 of our onions and I am currently considering two options.

 1. Implement alt-svc. This is what facebook does. Specifically the browser
 receive a alt-sv header like:

 {{{
 alt-svc:
 h2="facebook2futmrduts5uqn3ahwg4qyqoks6h3alxf5drhsgyhzujyqad.onion:443";
 ma=86400
 }}}

 2. Use onion-location:

 {{{
 Onion-Location:
 http://sbe5fi5cka5l3fqe.onion/~acat/test/onionlocation/header/
 }}}

 3. Use a onion-location meta-tag:


 {{{
 <!DOCTYPE html>
 <html>
   <head>
     <meta http-equiv="onion-location"
 content="http://sbe5fi5cka5l3fqe.onion/~acat/test/onionlocation/meta/"/>
   </head>
   <body>
     Onion-Location meta tag test.
   </body>
 </html>
 }}}

 I would personally prefer to use one of the two headers options. Either
 the alt-sv or the onion-location one. Both have advantages. I like that
 with alt-sv the connection is upgraded to an onion location without the
 address bar changing. At the same time we should also showcase our onions!
 And if we launch the onion-location header support we should show it on
 our websites.

 Something I would avoid is following the model that Privacy International
 use, and issue a "Location:" redirect when the client comes from an exit
 node. We currently do not check in our infrastructure where a user is
 coming from and I wouldn't like to start doing that.

--

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33705#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs