Opened 15 months ago

Last modified 15 months ago

#26832 reopened defect

Allow use of https://check.torproject.org/api/ip by content

Reported by: arthuredelstein Owned by: arlolra
Priority: Medium Milestone:
Component: Applications/Tor Check Version:
Severity: Normal Keywords:
Cc: arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by arthuredelstein)

I would like to create a page on another domain that demonstrates stream isolation in Tor Browser. This is the mechanism whereby each website is downloaded via a different Tor circuit, but a web page in an iframe is downloaded via the same Tor circuit as the first party parent document was.

Right now, https://check.torproject.org/api/ip cannot be included in iframes or fetched by a script in a web page.

So I would like to propose setting
Access-Control-Allow-Origin: *
and removing the X-Frame-Options header
for this particular endpoint.

Child Tickets

Change History (8)

comment:1 Changed 15 months ago by arthuredelstein

Cc: arthuredelstein added
Description: modified (diff)
Status: newneeds_review

Here's a proposed patch.
https://github.com/arthuredelstein/check/commit/26832

Any feedback appreciated. Thanks in advance! :)

comment:2 Changed 15 months ago by arthuredelstein

Description: modified (diff)

comment:3 Changed 15 months ago by arma

I think check gets fronted by an apache, to unify our external webserver exposure.

$ curl -D - https://check.torproject.org/
HTTP/1.1 200 OK
Date: Wed, 18 Jul 2018 17:17:05 GMT
Server: Apache

So I think if we want to set these things, we either need to confirm that Apache doesn't add its own if check does (which I doubt is the case, and it's probably good that way) or we'll need to do the change at the apache level.

comment:4 Changed 15 months ago by arma

I wonder if there are surprising safety implications to users if we do this.

Maybe we want to do it more explicitly, by making a new "check-api.torproject.org" site that is more clearly separate, and just serves that one thing?

I can also see the conflict between "we should use all of our own tools where we can" and "we should stop making even more per-site exceptions to our webserver security rules".

For example, would some other site like
https://wtfismyip.com/text
do the demo job just as well?

comment:5 in reply to:  4 Changed 15 months ago by arthuredelstein

Replying to arma:

For example, would some other site like
https://wtfismyip.com/text
do the demo job just as well?

I hadn't seen that one. https://wtfismyip.com/json even tells you if you have a Tor exit. So, yes, I can use that for now, and also double-check exit status with https://check.torproject.org/api/bulk?ip=93.184.216.34

If check.torproject.org did implement this, I would prefer to use it just for the sake of a more "authoritative" source.

comment:6 Changed 15 months ago by arthuredelstein

Resolution: wontfix
Status: needs_reviewclosed

As there's no urgency for this feature, I'll close the ticket. Feel free to re-open if somebody wants to actually implement it.

comment:7 Changed 15 months ago by arthuredelstein

Resolution: wontfix
Status: closedreopened

I was persuaded to re-open the ticket. :) It would be nice to have this change, though I'm not sure of the security downsides. Maybe someone in the know has a suggestion about how to do this safely.

comment:8 Changed 15 months ago by arlolra

So I think if we want to set these things, we either need to confirm that Apache doesn't add its own if check does (which I doubt is the case, and it's probably good that way) or we'll need to do the change at the apache level.

Yeah, it's Apache settings these things, so if we decide it's a good thing, a patch looks more like an .htaccess file.

Note: See TracTickets for help on using tickets.