#31295: please server Tor signature files with Content-Disposition that
encourages
a download rather than inline viewing
--------------------------------------+--------------------
Reporter: dkg | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone:
Component: - Select a component | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
--------------------------------------+--------------------
When i click on the `sig` link in https://www.torproject.org/download/
(which points to https://www.torproject.org/dist/torbrowser/8.5.4
/torbrowser-install-win64-8.5.4_en-US.exe.asc ) i find the OpenPGP
signature displayed in the browser directly, rather than being saved to a
file.
But the [[https://support.torproject.org/tbb/how-to-verify-
signature/|instructions for verifying the OpenPGP signature]] seem to
assume that the signature file has been downloaded as a file.
If you use [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
/Content-Disposition|Content-Disposition]] you should be able to encourage
the web browser to save the signatures as a file in the same way that the
installer is a file.
I'm attaching a HAR archive of what my browser (Firefox 68) did when
clicking on the `sig` link, which i think verifies that no `Content-
Disposition` header was sent.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31295>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
[email protected]
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
