[tor-dev] UX improvement proposal: Onion auto-redirects using Alt-Svc HTTP header
Tom Ritter
tom at ritter.vg
Fri Jul 13 15:24:42 UTC 2018
On 7 July 2018 at 13:07, Iain Learmonth <irl at torproject.org> wrote:
> Hi,
>
> I've had a go at implementing this for my personal blog. Here are some
> things:
Good feedback!
> My personal website is a static site (mostly). In my implementation, I
> took a list of all possible HTML URLs (excluding images, stylesheets,
> etc.) and generated a list of corresponding onion locations.
>
> I figured that being a blog, people often link to individual pages
> instead of just to my homepage (which is probably the least useful page
> on the site). Having the Onion-Location header on every page someone
> could land on gives the best chance that they will discover the onion
> service.
Ah, that makes sense. You want /foo.html to serve an Onion-Location
that goes to /foo.html
But you're saying you did this manually for each file? I guess I
hadn't thought about how I would implement this (for Apache)... http
-> https redirection is done with mod_write, typically something like
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]
I don't mess with Apache/mod_rewrite much, but surely there's a way to
write out the Onion-Location header with the supplied path/querystring
automatically?
> But then I realised that some of the locations I had generated
> Onion-Locations for would also be serving Location headers as they were
> old URLs. What should a browser do in this case? What should an
> implementer do? In my implementation, I've thrown in the Onion-Location
> headers regardless of whether or not a Location header is also present
> because it was easier.
I think that is fine but....
> It could be preferable that the redirection is followed after switching
> to the Onion service (i.e. Location header is ignored until user
> responds to the Onion-Location header prompt), but this would mean the
> page wouldn't have loaded before you get the prompt to go to the Onion
> service, which may be confusing for users. Alternatively, if the page
> has a Location header then the Onion-Location header should be ignored.
I agree that if a Location header is present, the browser should
follow it immediately. If the subsequent location has an
Onion-Location header (and no Location header) then the browser should
prompt.
Location is a non-prompt, non-negotiable redirect.
Onion-Location is a prompted, user-chosen redirect.
The only question in my mind is if the user has opted in to always
following Onion-Location redirects, then the question is: which header
do you follow? And I would suggest Onion-Location although I don't
have a strong argument for that choice besides "It's our feature, we
should give it precedence."
-tom
More information about the tor-dev
mailing list