On 14 Nov 2017, at 23:51, George Kadianakis desnacked@riseup.net wrote:
3.2. Auto-redirects too intrusive? Make them optional.
If we think that auto redirects are too intrusive, we should consider making them optional, or letting the website specify the desired behavior.
If a website wants to specify an onion address but doesn't like auto-redirects, it could specify that as part of Alt-Svc and we could still inform the user that an onion is available using a notification bar again.
Inform the user that the onion address is available.
Make the default behaviour *not* to redirect (it's not faster, it's not more secure, and it's surprising). But I'd be willing to compromise here, by letting the site specify an initial default, and having the Tor Browser default be whatever.
Let *the user* control the behaviour via the notification bar, and maybe allow them to set a session default. (This won't be persistent, for disk leak reasons.)
- Drawbacks
You missed the biggest one:
If the onion site is down, the user will be redirected to the downed site. (I've used onion site redirects with this issue, it's really annoying.) Similarly, if a feature is broken on the onion site, the user will be redirected to a site they can't use.
Or if the user simply wants to use the non-onion site for some reason (maybe they want a link they can share with their non-onion friends, or maybe they don't want to reveal they're using Tor Browser).
Users *must* have a way to disable the redirect on every redirect.
T