Onion-Location read only from HTTP header and not http-equiv meta tag

Description of the issue:

Tor Browser considers Onion-Location HTTP header as well as http-equiv meta tag onion-location: https://community.torproject.org/onion-services/advanced/onion-location/

Brave considers only the header.

Steps to Reproduce (add as many as necessary):

  1. Go to https://www.miletic.net/ which sends Onion-Location in HTTP header.
  2. Observe the purple Tor button in the location bar.
  3. Go to https://group.miletic.net/ which sends onion-location in http-equiv meta tag.
  4. Obsere the lack of the purple Tor button in the location bar.

Actual Result (gifs and screenshots are welcome!):

Described above.

Expected result:

Tor button should appear when the meta tag is set by the page, just like it does in the Tor Browser.

Reproduces how often:

Every time.

Operating System and Brave Version (See the About Brave page in the main menu):

Brave 1.35.100 Chromium: 98.0.4758.87 (Službeni sastavak) (64-bitni) on Arch Linux (specifically Garuda)

Additional Information:

I would be glad to provide any other required information if I can.

1 Like

vedranmiletic,

When I used the built-in TOR feature of Brave Browser (some time ago), I learned to ALWAYS (before every TOR attempt)

  • start Brave Browser
  • open a New Window
  • open a New Private Window
  • open a new TOR window

IOW, go thru that sequence. But, today (Feb. 9, 2022), I did not Quit and Start Brave Browser. Instead, I, in the following order:

  • opened a New Window
  • opened a New Private Window
  • opened a New Private Window with TOR

and then, using the TOR window, sent it promptly to:

so you may see the result. Next, I sent the window to the second link (group etc) that you required:

and the “purple TOR button” disappeared, but the link is actually:

https://group.miletic.net/en/

Note: What we see, depends upon how much, the BB Shields Settings and other firewall and security settings, permit.

Have you used the BB Developer Tools >> Network [tab] to see what differences may be, between the two URL addresses?

Yes, I have. As I stated in the original post, www.miletic.net sends the onion-location HTTP header:

$ curl -I https://www.miletic.net/en/ 
HTTP/2 200 
onion-location: http://tytdgqjgydmiyht4istlxh5e4c4l27yxd2qjxb3rwr7ccif64ddd3pid.onion/en/index.html
x-clacks-overhead: GNU Terry Pratchett
last-modified: Wed, 09 Feb 2022 14:27:37 GMT
etag: "38eb-5d796a2a9480a"
accept-ranges: bytes
content-length: 14571
cache-control: max-age=1, public
expires: Thu, 10 Feb 2022 10:25:52 GMT
vary: Accept-Encoding
content-type: text/html
date: Thu, 10 Feb 2022 10:25:51 GMT
server: Apache/2.4.52 (Unix) OpenSSL/1.1.1m

while group.miletic.net does not

curl -I https://group.miletic.net/en/
HTTP/2 200
server: GitHub.com
content-type: text/html; charset=utf-8
last-modified: Sun, 06 Feb 2022 22:52:53 GMT
access-control-allow-origin: *
etag: "62005145-1eac6"
expires: Thu, 10 Feb 2022 10:35:54 GMT
cache-control: max-age=600
x-proxy-cache: MISS
x-github-request-id: C682:2614:322E27:33B4AB:6204E832
accept-ranges: bytes
date: Thu, 10 Feb 2022 10:25:54 GMT
via: 1.1 varnish
age: 0
x-served-by: cache-vie6363-VIE
x-cache: MISS
x-cache-hits: 0
x-timer: S1644488755.605586,VS0,VE99
vary: Accept-Encoding
x-fastly-request-id: 00a334862573fc7a39db918a643536cfeccf18c1
content-length: 125638

but sets http-equiv meta tag it in the HTML header

<!doctype html>
<html lang="hr" class="no-js">
  <head>
    <!-- ... -->
    <meta http-equiv="onion-location" content="http://vcwkbqby652dtqgbtbtr6ouvs6fu5abx5z45dmlug6dl55d6zcadsuqd.onion/en/">
  </head>

which is allowed according to the official specification.

Brave only reads the HTTP header, but not the http-equiv meta tag.

Reported as #21048.

vedranmiletic,

Good report to GitHub.

And, good catch - finding / noticing the particulars. (Thank you - the screenshots help.)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.