Add header to redirect websites visitors using tor-browser to the .onion address
We have received a number of tickets by Tor Browser users that we should keep people visiting the .onion version of a torproject.org website in the .onion space. Instead because we have different subdomains for different websites a user surfing the onion version of torproject.org will be, for example, taken to support.torproject.org instead of its onion address.
I am willing to implement a header that signal the .onion address for all of our onions and I am currently considering the following options.
- Implement alt-svc. This is what facebook does. Specifically the browser receive a alt-sv header like:
alt-svc: h2="facebook2futmrduts5uqn3ahwg4qyqoks6h3alxf5drhsgyhzujyqad.onion:443"; ma=86400
- Use onion-location:
Onion-Location: http://sbe5fi5cka5l3fqe.onion/~acat/test/onionlocation/header/
- Use a onion-location meta-tag:
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="onion-location" content="http://sbe5fi5cka5l3fqe.onion/~acat/test/onionlocation/meta/"/>
</head>
<body>
Onion-Location meta tag test.
</body>
</html>
I would personally prefer to use one of the two headers options. Either the alt-sv or the onion-location one. Both have advantages. I like that with alt-sv the connection is upgraded to an onion location without the address bar changing. At the same time we should also showcase our onions! And if we launch the onion-location header support we should show it on our websites.
Something I would avoid is following the model that Privacy International use, and issue a "Location:" redirect when the client comes from an exit node. We currently do not check in our infrastructure where a user is coming from and I wouldn't like to start doing that.