On 7 July 2018 at 13:07, Iain Learmonth irl@torproject.org wrote:
Hi,
I've had a go at implementing this for my personal blog. Here are some things:
Good feedback!
My personal website is a static site (mostly). In my implementation, I took a list of all possible HTML URLs (excluding images, stylesheets, etc.) and generated a list of corresponding onion locations.
I figured that being a blog, people often link to individual pages instead of just to my homepage (which is probably the least useful page on the site). Having the Onion-Location header on every page someone could land on gives the best chance that they will discover the onion service.
Ah, that makes sense. You want /foo.html to serve an Onion-Location that goes to /foo.html
But you're saying you did this manually for each file? I guess I hadn't thought about how I would implement this (for Apache)... http -> https redirection is done with mod_write, typically something like
RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%%7BSERVER_NAME%7D/$1 [R,L]
I don't mess with Apache/mod_rewrite much, but surely there's a way to write out the Onion-Location header with the supplied path/querystring automatically?
But then I realised that some of the locations I had generated Onion-Locations for would also be serving Location headers as they were old URLs. What should a browser do in this case? What should an implementer do? In my implementation, I've thrown in the Onion-Location headers regardless of whether or not a Location header is also present because it was easier.
I think that is fine but....
It could be preferable that the redirection is followed after switching to the Onion service (i.e. Location header is ignored until user responds to the Onion-Location header prompt), but this would mean the page wouldn't have loaded before you get the prompt to go to the Onion service, which may be confusing for users. Alternatively, if the page has a Location header then the Onion-Location header should be ignored.
I agree that if a Location header is present, the browser should follow it immediately. If the subsequent location has an Onion-Location header (and no Location header) then the browser should prompt.
Location is a non-prompt, non-negotiable redirect. Onion-Location is a prompted, user-chosen redirect.
The only question in my mind is if the user has opted in to always following Onion-Location redirects, then the question is: which header do you follow? And I would suggest Onion-Location although I don't have a strong argument for that choice besides "It's our feature, we should give it precedence."
-tom