subject:"Re\: \[tor\-bugs\] #26832 \[Applications\/Tor Check\]\: Allow use of https\:\/\/check.torproject.org\/api\/ip by content"

Re: [tor-bugs] #26832 [Applications/Tor Check]: Allow use of https://check.torproject.org/api/ip by content

2018-07-31 Thread Tor Bug Tracker & Wiki

#26832: Allow use of https://check.torproject.org/api/ip by content
+--
 Reporter:  arthuredelstein |  Owner:  arlolra
 Type:  defect  | Status:  reopened
 Priority:  Medium  |  Milestone:
Component:  Applications/Tor Check  |Version:
 Severity:  Normal  | Resolution:
 Keywords:  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--

Comment (by arlolra):

 > So I think if we want to set these things, we either need to confirm
 that Apache doesn't add its own if check does (which I doubt is the case,
 and it's probably good that way) or we'll need to do the change at the
 apache level.

 Yeah, it's Apache settings these things, so if we decide it's a good
 thing, a patch looks more like an `.htaccess` file.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #26832 [Applications/Tor Check]: Allow use of https://check.torproject.org/api/ip by content

2018-07-30 Thread Tor Bug Tracker & Wiki

#26832: Allow use of https://check.torproject.org/api/ip by content
+--
 Reporter:  arthuredelstein |  Owner:  arlolra
 Type:  defect  | Status:  reopened
 Priority:  Medium  |  Milestone:
Component:  Applications/Tor Check  |Version:
 Severity:  Normal  | Resolution:
 Keywords:  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--
Changes (by arthuredelstein):

 * status:  closed => reopened
 * resolution:  wontfix =>


Comment:

 I was persuaded to re-open the ticket. :) It would be nice to have this
 change, though I'm not sure of the security downsides. Maybe someone in
 the know has a suggestion about how to do this safely.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #26832 [Applications/Tor Check]: Allow use of https://check.torproject.org/api/ip by content

2018-07-18 Thread Tor Bug Tracker & Wiki

#26832: Allow use of https://check.torproject.org/api/ip by content
+-
 Reporter:  arthuredelstein |  Owner:  arlolra
 Type:  defect  | Status:  closed
 Priority:  Medium  |  Milestone:
Component:  Applications/Tor Check  |Version:
 Severity:  Normal  | Resolution:  wontfix
 Keywords:  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+-
Changes (by arthuredelstein):

 * status:  needs_review => closed
 * resolution:   => wontfix


Comment:

 As there's no urgency for this feature, I'll close the ticket. Feel free
 to re-open if somebody wants to actually implement it.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #26832 [Applications/Tor Check]: Allow use of https://check.torproject.org/api/ip by content

2018-07-18 Thread Tor Bug Tracker & Wiki

#26832: Allow use of https://check.torproject.org/api/ip by content
+--
 Reporter:  arthuredelstein |  Owner:  arlolra
 Type:  defect  | Status:  needs_review
 Priority:  Medium  |  Milestone:
Component:  Applications/Tor Check  |Version:
 Severity:  Normal  | Resolution:
 Keywords:  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--

Comment (by arthuredelstein):

 Replying to [comment:4 arma]:

 > For example, would some other site like
 > https://wtfismyip.com/text
 > do the demo job just as well?

 I hadn't seen that one. https://wtfismyip.com/json even tells you if you
 have a Tor exit. So, yes, I can use that for now, and also double-check
 exit status with https://check.torproject.org/api/bulk?ip=93.184.216.34

 If check.torproject.org did implement this, I would prefer to use it just
 for the sake of a more "authoritative" source.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #26832 [Applications/Tor Check]: Allow use of https://check.torproject.org/api/ip by content

2018-07-18 Thread Tor Bug Tracker & Wiki

#26832: Allow use of https://check.torproject.org/api/ip by content
+--
 Reporter:  arthuredelstein |  Owner:  arlolra
 Type:  defect  | Status:  needs_review
 Priority:  Medium  |  Milestone:
Component:  Applications/Tor Check  |Version:
 Severity:  Normal  | Resolution:
 Keywords:  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--

Comment (by arma):

 I wonder if there are surprising safety implications to users if we do
 this.

 Maybe we want to do it more explicitly, by making a new "check-
 api.torproject.org" site that is more clearly separate, and just serves
 that one thing?

 I can also see the conflict between "we should use all of our own tools
 where we can" and "we should stop making even more per-site exceptions to
 our webserver security rules".

 For example, would some other site like
 https://wtfismyip.com/text
 do the demo job just as well?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #26832 [Applications/Tor Check]: Allow use of https://check.torproject.org/api/ip by content

2018-07-18 Thread Tor Bug Tracker & Wiki

#26832: Allow use of https://check.torproject.org/api/ip by content
+--
 Reporter:  arthuredelstein |  Owner:  arlolra
 Type:  defect  | Status:  needs_review
 Priority:  Medium  |  Milestone:
Component:  Applications/Tor Check  |Version:
 Severity:  Normal  | Resolution:
 Keywords:  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--

Comment (by arma):

 I think check gets fronted by an apache, to unify our external webserver
 exposure.

 {{{
 $ curl -D - https://check.torproject.org/
 HTTP/1.1 200 OK
 Date: Wed, 18 Jul 2018 17:17:05 GMT
 Server: Apache
 }}}

 So I think if we want to set these things, we either need to confirm that
 Apache doesn't add its own if check does (which I doubt is the case, and
 it's probably good that way) or we'll need to do the change at the apache
 level.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #26832 [Applications/Tor Check]: Allow use of https://check.torproject.org/api/ip by content

2018-07-16 Thread Tor Bug Tracker & Wiki

#26832: Allow use of https://check.torproject.org/api/ip by content
+--
 Reporter:  arthuredelstein |  Owner:  arlolra
 Type:  defect  | Status:  needs_review
 Priority:  Medium  |  Milestone:
Component:  Applications/Tor Check  |Version:
 Severity:  Normal  | Resolution:
 Keywords:  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--
Description changed by arthuredelstein:

Old description:

> I would like to create a page on another domain that demonstrates stream
> isolation in Tor Browser. This is the mechanism whereby each website is
> downloaded by via a different Tor circuit, but a web page in an iframe is
> downloaded via the same Tor circuit as the first party parent document
> was.
>
> Right now, https://check.torproject.org/api/ip cannot be included in
> iframes or fetched by a script in a web page.
>
> So I would like to propose setting
> `Access-Control-Allow-Origin: *`
> and removing the `X-Frame-Options` header
> for this particular endpoint.

New description:

 I would like to create a page on another domain that demonstrates stream
 isolation in Tor Browser. This is the mechanism whereby each website is
 downloaded via a different Tor circuit, but a web page in an iframe is
 downloaded via the same Tor circuit as the first party parent document
 was.

 Right now, https://check.torproject.org/api/ip cannot be included in
 iframes or fetched by a script in a web page.

 So I would like to propose setting
 `Access-Control-Allow-Origin: *`
 and removing the `X-Frame-Options` header
 for this particular endpoint.

--

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #26832 [Applications/Tor Check]: Allow use of https://check.torproject.org/api/ip by content

2018-07-16 Thread Tor Bug Tracker & Wiki

#26832: Allow use of https://check.torproject.org/api/ip by content
+--
 Reporter:  arthuredelstein |  Owner:  arlolra
 Type:  defect  | Status:  needs_review
 Priority:  Medium  |  Milestone:
Component:  Applications/Tor Check  |Version:
 Severity:  Normal  | Resolution:
 Keywords:  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--
Changes (by arthuredelstein):

 * cc: arthuredelstein (added)
 * status:  new => needs_review


Old description:

> I would like to create a page on another domain that demonstrates stream
> isolation in Tor Browser. This is the mechanism whereby a web page in an
> iframe is downloaded via the same Tor circuit as the first party parent
> document was.
>
> Right now, https://check.torproject.org/api/ip cannot be included in
> iframes or fetched by a script in a web page.
>
> So I would like to propose setting
> Access-Control-Allow-Origin: *
> and removing the `X-Frame-Options` header
> for this particular endpoint.

New description:

 I would like to create a page on another domain that demonstrates stream
 isolation in Tor Browser. This is the mechanism whereby each website is
 downloaded by via a different Tor circuit, but a web page in an iframe is
 downloaded via the same Tor circuit as the first party parent document
 was.

 Right now, https://check.torproject.org/api/ip cannot be included in
 iframes or fetched by a script in a web page.

 So I would like to propose setting
 `Access-Control-Allow-Origin: *`
 and removing the `X-Frame-Options` header
 for this particular endpoint.

--

Comment:

 Here's a proposed patch.
 https://github.com/arthuredelstein/check/commit/26832

 Any feedback appreciated. Thanks in advance! :)

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #26832 [Applications/Tor Check]: Allow use of https://check.torproject.org/api/ip by content

Re: [tor-bugs] #26832 [Applications/Tor Check]: Allow use of https://check.torproject.org/api/ip by content

Re: [tor-bugs] #26832 [Applications/Tor Check]: Allow use of https://check.torproject.org/api/ip by content

Re: [tor-bugs] #26832 [Applications/Tor Check]: Allow use of https://check.torproject.org/api/ip by content

Re: [tor-bugs] #26832 [Applications/Tor Check]: Allow use of https://check.torproject.org/api/ip by content

Re: [tor-bugs] #26832 [Applications/Tor Check]: Allow use of https://check.torproject.org/api/ip by content

Re: [tor-bugs] #26832 [Applications/Tor Check]: Allow use of https://check.torproject.org/api/ip by content

Re: [tor-bugs] #26832 [Applications/Tor Check]: Allow use of https://check.torproject.org/api/ip by content

8 matches

Site Navigation

Mail list logo

Footer information