Opened 3 years ago

Closed 3 years ago

#20249 closed defect (fixed)

Captcha not displaying on hidden service mirror of bridges.torproject.org

Reported by: cypherpunks Owned by: isis
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: bridgedb-reportbug
Cc: isis, weasel Actual Points: 1
Parent ID: Points: 1
Reviewer: Sponsor:

Description

Hidden service mirror bridges.torproject.org (http://z5tfsnikzulwicxs.onion)
fails to display captcha for all bridge types (fte,obfs*,scramblesuit) on tor browser 6.0.5, running tails 2.6 on x64.
Screenshots:
http://matrixtxri745dfw.onion/neo/uploads/160926/MATRIXtxri745dfwONION_233544UUF_issue0.png
http://matrixtxri745dfw.onion/neo/uploads/160926/MATRIXtxri745dfwONION_233841AdL_issue1.png

Child Tickets

Change History (6)

comment:1 Changed 3 years ago by isis

Closed #21002 as a duplicate of this bug.

comment:2 Changed 3 years ago by isis

This has probably something to do with the CSP policy getting applied in a buggy way to the onion service that weasel set up.

comment:3 Changed 3 years ago by weasel

Cc: weasel added

So, should we get rid of

Header set Content-Security-Policy: "default-src 'self';"

comment:4 in reply to:  3 ; Changed 3 years ago by isis

Replying to weasel:

So, should we get rid of

Header set Content-Security-Policy: "default-src 'self';"

I think(?) if we remove that, then the images (when requesting the Hidden Service) will instead come from https://bridges.torproject.org. We could try changing it to:

        Header set Content-Security-Policy: "default-src 'self'; img-src 'self' data:;"

That might work? It's probably getting tripped up on the data: URL.

comment:5 Changed 3 years ago by weasel

Did that now.

comment:6 in reply to:  4 Changed 3 years ago by isis

Actual Points: 1
Points: 1
Resolution: fixed
Status: newclosed

Replying to isis:

Replying to weasel:

So, should we get rid of

Header set Content-Security-Policy: "default-src 'self';"

I think(?) if we remove that, then the images (when requesting the Hidden Service) will instead come from https://bridges.torproject.org. We could try changing it to:

        Header set Content-Security-Policy: "default-src 'self'; img-src 'self' data:;"

That might work? It's probably getting tripped up on the data: URL.

weasel added that, now it's fixed.

Note: See TracTickets for help on using tickets.