[tor-bugs] #34366 [Applications/Tor Browser]: The onion-location mechanism does not redirect to full URL

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Jun 12 10:53:48 UTC 2020


#34366: The onion-location mechanism does not redirect to full URL
--------------------------------------+--------------------------
 Reporter:  gk                        |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-9.5-issues            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by acat):

 Replying to [comment:3 mcs]:
 > For what it's worth, it would be more consistent with HTTP's `Location`
 header to preserve fragment identifiers. From
 https://tools.ietf.org/html/rfc7231#section-7.1.2:
 >  If the Location value provided in a 3xx (Redirection) response does
 >  not have a fragment component, a user agent MUST process the
 >  redirection as if the value inherits the fragment component of the
 >  URI reference used to generate the request target (i.e., the
 >  redirection inherits the original reference's fragment, if any).
 > The RFC also include some examples. I don't think reusing the fragment
 component would be harmful in too many cases and we could leave it to the
 website maintainer to watch out for such problems.

 Thanks, I did not know that. It seems we lost this by basing our
 implementation in `Refresh` instead of `Location` redirects (to avoid
 issues with the redirect `Response` codes). Yes, maybe we could just
 modify our patch to always inherit the fragment (if the `Onion-Location`
 doesn't have a fragment already).

 Replying to [comment:2 sysrqb]:
 >I understand why this is a useful feature, but I worry about successfully
 achieving this goal. I think the underlying question is "should reloading
 a page based on onion-location provide same-origin behavior?". If it
 should not provide that behavior, then we should simply reload the page
 using the provided URL without modification. If the behavior should be
 "same-origin"-like, then I like the idea of providing a "relative" mode.
 However, if that is the case, then we need to discuss how cookies and
 storage are shared. I expect some pages contain content depending on a
 cookie or localstorage, and reloading the page with a different domain may
 cause weird problems if the anchor isn't valid on the new page or in the
 SPA. Alt-svc entirely avoids this problem.
 Treating as the same-origin is an interesting idea, and I think we should
 consider it (probably has some risks, since this behaviour is not there
 for `Location` or any redirects in general). But given that inheriting the
 fragment already happens with `Location`, it **may** be just fine to also
 implement it for `Onion-Location`.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/34366#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list