#31089 closed enhancement (fixed)

Consider using data-URI to embed how_tor_works_thumb.png image into tor-exit-notice.html

Reported by: rl1987 Owned by:
Priority: Low Milestone: Tor: 0.2.9.x-final
Component: Core Tor/Tor Version:
Severity: Trivial Keywords: security-low, 029-backport, 035-backport, 040-backport, 041-backport, consider-backport-after-0421
Cc: Actual Points: 0.2
Parent ID: Points: 0.2
Reviewer: teor Sponsor:


We can only serve a single HTML file with DirPortFrontPage configuration option. Currently we provide an exit notice file in tor-exit-notice.html, which embeds an image with basic Tor network schematics from Tor website. We may want to use data-URI format (as described in RFC 2397) to hardcode this image into HTML and avoid loading it from external webserver.

Child Tickets

Change History (12)

comment:1 Changed 16 months ago by rl1987

Type: defectenhancement

comment:2 Changed 16 months ago by rl1987

Status: newneeds_review

comment:3 Changed 16 months ago by nickm

Milestone: Tor: unspecifiedTor: 0.4.2.x-final

comment:4 Changed 16 months ago by dgoulet

Reviewer: teor

comment:5 Changed 15 months ago by teor

Keywords: security-low 029-backport 035-backport 040-backport 041-backport added

Loading a remote image is a web bug, so this is a low-severity security issue that needs to be backported.

I can do the backport branches as part of the review. I'll also try to modify the git scripts to create backport branches at the same time (#31314).

comment:6 Changed 15 months ago by teor

Actual Points: 0.2
Keywords: consider-backport-after-0416 added
Points: 0.2
Status: needs_reviewmerge_ready

Here are the pull requests:

All the other merges are clean. CI doesn't run on this file, so there's no point in pushing any other test branches.

I tested the new file in Tor Browser, Firefox, and Chrome. It looks the same, but there are no network requests.

Marking for backport after Tor has been released, so we have a chance to discover any issues in master.

comment:7 Changed 15 months ago by dgoulet

Keywords: asn-merge added

comment:8 Changed 15 months ago by asn

Keywords: asn-merge removed

Merged to master. Did not merge to 041 because of comment:6.

comment:9 Changed 15 months ago by nickm

Milestone: Tor: 0.4.2.x-finalTor: 0.4.1.x-final

marked for possible backport

comment:10 Changed 14 months ago by teor

Keywords: consider-backport-after-0421 added; consider-backport-after-0416 removed was stable, so these get backported after the next alpha

comment:11 Changed 14 months ago by nickm

Milestone: Tor: 0.4.1.x-finalTor: 0.2.9.x-final

Merged to 0.2.9 and forward. The risk is low; the severity is low; and this will be easy for people to work around if anything breaks.

comment:12 Changed 14 months ago by teor

Resolution: fixed
Status: merge_readyclosed

(And the most likely breakage is a missing image in some browsers, which is better than a low-severity privacy issue.)

Note: See TracTickets for help on using tickets.