search

tor2web / Tor2web

Tor2web is an HTTP proxy software that enables access to Tor Hidden Services by mean of common web browsers
https://www.tor2web.org
GNU Affero General Public License v3.0
705 stars 176 forks source link

Clientside Rewrite Experimentation #181

Open evilaliv3 opened 9 years ago

evilaliv3 commented 9 years ago

As part of an experimentation me and @virgil are going to implement a clientside rewrite mode of tor2web.

This ticket deals with this experimentation that involve the following spec:

When accessing https://am4wuhz3zifexz5u.tor2web.org/path/to/file.html ...

(1) am4wuhz3zifexz5u.tor2web.org returns a page with an IFRAME of size 100% x 100% as well as some JavaScript. The contents of this "iframe-spitter" page will be something like:

###this title will be automatically replaced###

(2) am4wuhz3zifexz5u.raw.tor2web.org returns the unaltered content from the am4wuhz3zifexz5u.onion . The headers for am4wuhz3zifexz5u.raw.tor2web.org contain the same header trickier we currently do as well as.

Access-Control-Allow-Origin: https://am4wuhz3zifexz5u.tor2web.org

This header is Cross-origin Resource Sharing (http://www.w3.org/TR/cors/) and will allow the JavaScript in the frameset to modify the contents in the frame.

(3) url_rewriter.js simply goes into the iframe's DOM and rewrites all of the hrefs.; the javascript will be probably embedded in the page in order to minimize the number of requests;

(4) title_rewrite.js reads iframe, gets its title, and overwrites the title of "###this titile will be automatically replaced###" with the iframe's element. the javascript will be probably embedded in the page in order to minimize the number of requests;</p> <p>(5) For simplicity we might want to make the iframe-spitter and the tor2web code different codebases/repositories. We can just use plain DNS to put them on separate machines.</p> <p>(6) As benefit of the iframe sandbox property we can ensure that .onion pages don't get rid of our tor2web header.</p> <h2></h2> <bountysource-plugin> --- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/6930867-clientside-rewrite-experimentation?utm_campaign=plugin&utm_content=tracker%2F318575&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F318575&utm_medium=issues&utm_source=github). </bountysource-plugin> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/evilaliv3"><img src="https://avatars.githubusercontent.com/u/217034?v=4" />evilaliv3</a> commented <strong> 9 years ago</strong> </div> <div class="markdown-body"> <p>@virgil the iframe should not automatically load its content by url but the content of the iframe should by written by our javascript. this is needed in order to prevent the browser to eventually starting loading resources that have not been already mangled by our code.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/virgil"><img src="https://avatars.githubusercontent.com/u/81322?v=4" />virgil</a> commented <strong> 9 years ago</strong> </div> <div class="markdown-body"> <p>@evilaliv3 that would be fine by me. But I want to know your precise concern. Are you concerned tha:</p> <p>(1) users will click links before the our javascript runs? Or (2) user's javascript will be turned off?</p> <p>If (1), Is there something clever we can do so that the URLs are rewritten as the iframe is being painted? I have no idea. If there's no clever way to do this, I wholly support doing a "display: none" until the URLs are rewritten.</p> <p>If (2), I'd say tor2web loading a "non-mangled" page is better that not loading anything at all.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/evilaliv3"><img src="https://avatars.githubusercontent.com/u/217034?v=4" />evilaliv3</a> commented <strong> 9 years ago</strong> </div> <div class="markdown-body"> <p>Nope is not a matter of user clicks but of automstics fetch of not mangled resources by the browser like for the images nested iframes object bla bla.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/fpietrosanti"><img src="https://avatars.githubusercontent.com/u/770363?v=4" />fpietrosanti</a> commented <strong> 9 years ago</strong> </div> <div class="markdown-body"> <p>Can you override any kind of low-level ajax resources function, in order to mangle the requests going from application code of JS application that cannot otherwise be rewritten client-side?</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/fpietrosanti"><img src="https://avatars.githubusercontent.com/u/770363?v=4" />fpietrosanti</a> commented <strong> 9 years ago</strong> </div> <div class="markdown-body"> <p>Btw i would suggest to first move tor2web to the iframe embedding approach that's valuable to prevent the override of Tor2web banner injection avoidance, like CryptoWall is doing</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/virgil"><img src="https://avatars.githubusercontent.com/u/81322?v=4" />virgil</a> commented <strong> 9 years ago</strong> </div> <div class="markdown-body"> <p>Any inline images won't load on the first pass (because of the .onion), but when they are rewritten by the javascript they will automatically refresh.</p> <p>Would like to see if this yields an unpleasant UX before trying to solve this problem more deeply.</p> <p>-V On Dec 15, 2014 6:00 AM, "Fabio (naif) Pietrosanti" < notifications@github.com> wrote:</p> <blockquote> <p>Can you override any kind of low-level ajax resources function, in order to mangle the requests going from application code of JS application that cannot otherwise be rewritten client-side?</p> <p>— Reply to this email directly or view it on GitHub <a href="https://github.com/globaleaks/Tor2web-3.0/issues/181#issuecomment-66997367">https://github.com/globaleaks/Tor2web-3.0/issues/181#issuecomment-66997367</a> .</p> </blockquote> </div> </div> <div class="page-bar-simple"> </div> <div class="footer"> <ul class="body"> <li>© <script> document.write(new Date().getFullYear()) </script> Githubissues.</li> <li>Githubissues is a development platform for aggregating issues.</li> </ul> </div> <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js"></script> <script src="/githubissues/assets/js.js"></script> <script src="/githubissues/assets/markdown.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/highlight.min.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/languages/go.min.js"></script> <script> hljs.highlightAll(); </script> </body> </html>