Changes between Initial Version and Version 1 of Ticket #21537


Ignore:
Timestamp:
Feb 23, 2017, 3:13:00 PM (3 years ago)
Author:
micah
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #21537 – Description

    initial v1  
    1 Its hard to setup onion services because you need to enable secure cookies some times and disable them other times. Right now you have to make a trade-off: work well with .onions, or work well with everyone else. One of the main problem points has been secure cookies.
     1One of the main problem points with adding onion services to existing web services has been interaction with secure cookies. Its hard to setup onion services because you need to enable secure cookies some times (over regular network+TLS) and disable them other times (over .onion network, without TLS). Right now you have to make a trade-off: work well with .onions, or work well with everyone else. This is an unfortunate trade-off.
     2
     3It is considered a best practice that every web developer is told to do, but its a best practice that doesn't work if you want to run an onion site. Running an onion site should not force you to violate established web application development best practices.
    24
    35The idea of "secure cookies" is that they prevent you from leaking your cookie information over an insecure connection. There are a lot of ways you can leak your cookie info over an insecure connection:
     
    810
    911Using "secure cookies" allows the application (regardless of how it is run, or what intermediaries are in between), to make sure that the browser doesn't screw this up. It tells the browser to never submit the cookie over plaintext. Many frameworks have this set by default (such as Rails). Some applications, such as java/tomcat have as part of the stack the cookie setting that happens before that does the redirect to https.
    10 
    11 It is considered a best practice that every web developer is told to do, but its a best practice that doesn't work if you want to run an onion site. Running an onion site should not force you to violate established web application development best practices.
    1212
    1313The "secure cookies" spec is just a "suggestion" to the browser, so TBB is free to ignore them, and I think that maybe it should do so for .onion sites.