[tbb-bugs] #34366 [Applications/Tor Browser]: The onion-location mechanism does not redirect to full URL
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Jun 12 10:53:48 UTC 2020
#34366: The onion-location mechanism does not redirect to full URL
--------------------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-9.5-issues | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by acat):
Replying to [comment:3 mcs]:
> For what it's worth, it would be more consistent with HTTP's `Location`
header to preserve fragment identifiers. From
https://tools.ietf.org/html/rfc7231#section-7.1.2:
> If the Location value provided in a 3xx (Redirection) response does
> not have a fragment component, a user agent MUST process the
> redirection as if the value inherits the fragment component of the
> URI reference used to generate the request target (i.e., the
> redirection inherits the original reference's fragment, if any).
> The RFC also include some examples. I don't think reusing the fragment
component would be harmful in too many cases and we could leave it to the
website maintainer to watch out for such problems.
Thanks, I did not know that. It seems we lost this by basing our
implementation in `Refresh` instead of `Location` redirects (to avoid
issues with the redirect `Response` codes). Yes, maybe we could just
modify our patch to always inherit the fragment (if the `Onion-Location`
doesn't have a fragment already).
Replying to [comment:2 sysrqb]:
>I understand why this is a useful feature, but I worry about successfully
achieving this goal. I think the underlying question is "should reloading
a page based on onion-location provide same-origin behavior?". If it
should not provide that behavior, then we should simply reload the page
using the provided URL without modification. If the behavior should be
"same-origin"-like, then I like the idea of providing a "relative" mode.
However, if that is the case, then we need to discuss how cookies and
storage are shared. I expect some pages contain content depending on a
cookie or localstorage, and reloading the page with a different domain may
cause weird problems if the anchor isn't valid on the new page or in the
SPA. Alt-svc entirely avoids this problem.
Treating as the same-origin is an interesting idea, and I think we should
consider it (probably has some risks, since this behaviour is not there
for `Location` or any redirects in general). But given that inheriting the
fragment already happens with `Location`, it **may** be just fine to also
implement it for `Onion-Location`.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/34366#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list