[tor-bugs] #31295 [- Select a component]: please server Tor signature files with Content-Disposition that encourages a download rather than inline viewing
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jul 30 21:37:14 UTC 2019
#31295: please server Tor signature files with Content-Disposition that encourages
a download rather than inline viewing
--------------------------------------+--------------------
Reporter: dkg | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone:
Component: - Select a component | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
--------------------------------------+--------------------
When i click on the `sig` link in https://www.torproject.org/download/
(which points to https://www.torproject.org/dist/torbrowser/8.5.4
/torbrowser-install-win64-8.5.4_en-US.exe.asc ) i find the OpenPGP
signature displayed in the browser directly, rather than being saved to a
file.
But the [[https://support.torproject.org/tbb/how-to-verify-
signature/|instructions for verifying the OpenPGP signature]] seem to
assume that the signature file has been downloaded as a file.
If you use [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
/Content-Disposition|Content-Disposition]] you should be able to encourage
the web browser to save the signatures as a file in the same way that the
installer is a file.
I'm attaching a HAR archive of what my browser (Firefox 68) did when
clicking on the `sig` link, which i think verifies that no `Content-
Disposition` header was sent.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31295>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list