[tor-bugs] #34366 [Applications/Tor Browser]: The onion-location mechanism does not redirect to full URL

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Jun 8 17:32:47 UTC 2020 

#34366: The onion-location mechanism does not redirect to full URL
--------------------------------------+--------------------------
 Reporter:  gk                        |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-9.5-issues            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by sysrqb):

 Replying to [comment:1 acat]:
 > One way to avoid having to scroll again would be to keep the scroll
 position when there is the redirect. That might solve the issue when there
 is no hash in the url, so this solution might be implemented
 independently.
 >
 > However, the hash part of the URL (fragment identifier?) is not only
 used for anchors, but also for other stuff like navigation in single-page
 applications, etc., so it would be good to preserve it. One idea would be
 to allow a "relative mode" for Onion-Location, where the value is
 interpreted as the scheme + host, and the redirect is performed by
 appending the current path + query params + hash to it. This would also
 allow to have shorter and simpler Onion-Location headers for websites, and
 in most cases, to serve the same static Onion-Location header for the
 whole website.

 I understand why this is a useful feature, but I worry about successfully
 achieving this goal. I think the underlying question is "should reloading
 a page based on onion-location provide same-origin behavior?". If it
 should not provide that behavior, then we should simply reload the page
 using the provided URL without modification. If the behavior should be
 "same-origin"-like, then I like the idea of providing a "relative" mode.
 However, if that is the case, then we need to discuss how cookies and
 storage are shared. I expect some pages contain content depending on a
 cookie or localstorage, and reloading the page with a different domain may
 cause weird problems if the anchor isn't valid on the new page or in the
 SPA. Alt-svc entirely avoids this problem.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/34366#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list