Opened 3 months ago

Closed 5 days ago

#31089 closed enhancement (fixed)

Consider using data-URI to embed how_tor_works_thumb.png image into tor-exit-notice.html

Reported by: rl1987 Owned by:
Priority: Low Milestone: Tor: 0.2.9.x-final
Component: Core Tor/Tor Version:
Severity: Trivial Keywords: security-low, 029-backport, 035-backport, 040-backport, 041-backport, consider-backport-after-0421
Cc: Actual Points: 0.2
Parent ID: Points: 0.2
Reviewer: teor Sponsor:

Description

We can only serve a single HTML file with DirPortFrontPage configuration option. Currently we provide an exit notice file in tor-exit-notice.html, which embeds an image with basic Tor network schematics from Tor website. We may want to use data-URI format (as described in RFC 2397) to hardcode this image into HTML and avoid loading it from external webserver.

Child Tickets

Change History (12)

comment:1 Changed 3 months ago by rl1987

Type: defectenhancement

comment:2 Changed 2 months ago by rl1987

Status: newneeds_review

comment:3 Changed 2 months ago by nickm

Milestone: Tor: unspecifiedTor: 0.4.2.x-final

comment:4 Changed 2 months ago by dgoulet

Reviewer: teor

comment:5 Changed 7 weeks ago by teor

Keywords: security-low 029-backport 035-backport 040-backport 041-backport added

Loading a remote image is a web bug, so this is a low-severity security issue that needs to be backported.

I can do the backport branches as part of the review. I'll also try to modify the git scripts to create backport branches at the same time (#31314).

comment:6 Changed 7 weeks ago by teor

Actual Points: 0.2
Keywords: consider-backport-after-0416 added
Points: 0.2
Status: needs_reviewmerge_ready

Here are the pull requests:

All the other merges are clean. CI doesn't run on this file, so there's no point in pushing any other test branches.

I tested the new file in Tor Browser, Firefox, and Chrome. It looks the same, but there are no network requests.

Marking for backport after Tor 0.4.1.6 has been released, so we have a chance to discover any issues in master.

comment:7 Changed 6 weeks ago by dgoulet

Keywords: asn-merge added

comment:8 Changed 5 weeks ago by asn

Keywords: asn-merge removed

Merged to master. Did not merge to 041 because of comment:6.

comment:9 Changed 5 weeks ago by nickm

Milestone: Tor: 0.4.2.x-finalTor: 0.4.1.x-final

marked for possible backport

comment:10 Changed 3 weeks ago by teor

Keywords: consider-backport-after-0421 added; consider-backport-after-0416 removed

0.4.1.5 was stable, so these get backported after the next alpha

comment:11 Changed 5 days ago by nickm

Milestone: Tor: 0.4.1.x-finalTor: 0.2.9.x-final

Merged to 0.2.9 and forward. The risk is low; the severity is low; and this will be easy for people to work around if anything breaks.

comment:12 Changed 5 days ago by teor

Resolution: fixed
Status: merge_readyclosed

(And the most likely breakage is a missing image in some browsers, which is better than a low-severity privacy issue.)

Note: See TracTickets for help on using tickets.