Opened 3 months ago

Last modified 4 weeks ago

#31295 new defect

please server Tor signature files with Content-Disposition that encourages a download rather than inline viewing

Reported by: dkg Owned by: hiro
Priority: Medium Milestone:
Component: Webpages/Website Version:
Severity: Normal Keywords:
Cc: pili, anarcat Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

When i click on the sig link in https://www.torproject.org/download/ (which points to https://www.torproject.org/dist/torbrowser/8.5.4/torbrowser-install-win64-8.5.4_en-US.exe.asc ) i find the OpenPGP signature displayed in the browser directly, rather than being saved to a file.

But the instructions for verifying the OpenPGP signature seem to assume that the signature file has been downloaded as a file.

If you use Content-Disposition you should be able to encourage the web browser to save the signatures as a file in the same way that the installer is a file.

I'm attaching a HAR archive of what my browser (Firefox 68) did when clicking on the sig link, which i think verifies that no Content-Disposition header was sent.

Child Tickets

Attachments (1)

dist.torproject.org_Archive [19-07-30 17-30-21].har.gz (2.2 KB) - added by dkg 3 months ago.
gzip

Download all attachments as: .zip

Change History (7)

comment:1 Changed 3 months ago by dkg

i had to gzip the HAR archive to avoid trac's spamfilter.

comment:2 Changed 3 months ago by anarcat

Component: - Select a componentWebpages/Website
Owner: set to hiro

comment:3 Changed 3 months ago by pili

Cc: pili added

Adding this to my "signature verification issues" list

comment:4 Changed 6 weeks ago by torlove

Thanks pili.

This does need to be fixed asap. The easier we can make working with such files the better.

comment:5 Changed 4 weeks ago by sysrqb

Cc: anarcat added

I wonder if this requires a configuration change on the webserver (instead of the webpage or templating). If it is, then the component of this ticket can be changed, too.

comment:6 Changed 4 weeks ago by anarcat

it seems strange to make people download a text file instead of displaying it. after all, a .asc file is exactly *designed* to be user-readable and transported as text.

if we want users to download a blob, why don't we use the standard extension (as far as such a thing exists) which is .sig?

anarcat@curie:~(master)$ grep pgp /etc/mime.types 
application/pgp-encrypted			pgp
application/pgp-keys				key
application/pgp-signature			sig

(you'll note that .asc is not listed there, interestingly...)

Note: See TracTickets for help on using tickets.