Tor2web icon indicating copy to clipboard operation
Tor2web copied to clipboard
verified publisher icon tor2web

Clientside Rewrite Experimentation

Open evilaliv3 opened this issue 11 years ago • 6 comments

As part of an experimentation me and @virgil are going to implement a clientside rewrite mode of tor2web.

This ticket deals with this experimentation that involve the following spec:

When accessing https://am4wuhz3zifexz5u.tor2web.org/path/to/file.html ...

(1) am4wuhz3zifexz5u.tor2web.org returns a page with an IFRAME of size 100% x 100% as well as some JavaScript. The contents of this "iframe-spitter" page will be something like:

###this title will be automatically replaced###

(2) am4wuhz3zifexz5u.raw.tor2web.org returns the unaltered content from the am4wuhz3zifexz5u.onion . The headers for am4wuhz3zifexz5u.raw.tor2web.org contain the same header trickier we currently do as well as.

Access-Control-Allow-Origin: https://am4wuhz3zifexz5u.tor2web.org

This header is Cross-origin Resource Sharing (http://www.w3.org/TR/cors/) and will allow the JavaScript in the frameset to modify the contents in the frame.

(3) url_rewriter.js simply goes into the iframe's DOM and rewrites all of the hrefs.; the javascript will be probably embedded in the page in order to minimize the number of requests;

(4) title_rewrite.js reads iframe, gets its title, and overwrites the title of "###this titile will be automatically replaced###" with the iframe's

element. the javascript will be probably embedded in the page in order to minimize the number of requests; <p>(5) For simplicity we might want to make the iframe-spitter and the tor2web code different codebases/repositories. We can just use plain DNS to put them on separate machines.</p> <p>(6) As benefit of the iframe sandbox property we can ensure that .onion pages don't get rid of our tor2web header.</p> <h2></h2> <bountysource-plugin> <hr> <p>Want to back this issue? <strong><a href="https://www.bountysource.com/issues/6930867-clientside-rewrite-experimentation?utm_campaign=plugin&utm_content=tracker%2F318575&utm_medium=issues&utm_source=github" rel="nofollow" target="_blank" >Post a bounty on it!</a></strong> We accept bounties via <a href="https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F318575&utm_medium=issues&utm_source=github" rel="nofollow" target="_blank" >Bountysource</a>. </p></bountysource-plugin>

evilaliv3 avatar Dec 11 '14 00:12 evilaliv3

@virgil the iframe should not automatically load its content by url but the content of the iframe should by written by our javascript. this is needed in order to prevent the browser to eventually starting loading resources that have not been already mangled by our code.

evilaliv3 avatar Dec 11 '14 00:12 evilaliv3

@evilaliv3 that would be fine by me. But I want to know your precise concern. Are you concerned tha:

(1) users will click links before the our javascript runs? Or (2) user's javascript will be turned off?

If (1), Is there something clever we can do so that the URLs are rewritten as the iframe is being painted? I have no idea. If there's no clever way to do this, I wholly support doing a "display: none" until the URLs are rewritten.

If (2), I'd say tor2web loading a "non-mangled" page is better that not loading anything at all.

virgil avatar Dec 11 '14 00:12 virgil

Nope is not a matter of user clicks but of automstics fetch of not mangled resources by the browser like for the images nested iframes object bla bla.

evilaliv3 avatar Dec 11 '14 01:12 evilaliv3

Can you override any kind of low-level ajax resources function, in order to mangle the requests going from application code of JS application that cannot otherwise be rewritten client-side?

fpietrosanti avatar Dec 15 '14 14:12 fpietrosanti

Btw i would suggest to first move tor2web to the iframe embedding approach that's valuable to prevent the override of Tor2web banner injection avoidance, like CryptoWall is doing

fpietrosanti avatar Dec 15 '14 14:12 fpietrosanti

Any inline images won't load on the first pass (because of the .onion), but when they are rewritten by the javascript they will automatically refresh.

Would like to see if this yields an unpleasant UX before trying to solve this problem more deeply.

-V On Dec 15, 2014 6:00 AM, "Fabio (naif) Pietrosanti" < [email protected]> wrote:

Can you override any kind of low-level ajax resources function, in order to mangle the requests going from application code of JS application that cannot otherwise be rewritten client-side?

— Reply to this email directly or view it on GitHub https://github.com/globaleaks/Tor2web-3.0/issues/181#issuecomment-66997367 .

virgil avatar Dec 15 '14 18:12 virgil