Detect Tor2Web client side (Javascript)
Tor2Web (and Web2Tor) are reverse proxies giving access to Tor Onion Services (previously known as Hidden Services) via the public internet. The problem with this, is that they act as a trusted middleman, often putting unwitting user's privacy and security at risk.
Some Tor2Web operators do the right thing and include a request header to tell the Onion service that the request is from a Tor2web node. Those that do can be detected and blocked in Nginx.
However, many don't.
This snippet provides some Javascript to check if the page currently being viewed appears to be being loaded via a Tor2Web domain, if it seems that it is, it'll inject a warning banner into the top of the page - the basic idea being that the function should be called on every page load
Unlike the JS example provided on the Nginx snippet, this snippet is genericised - there's no need to update it with a list of authorised domains.
Details
- Language: Javascript
- License: BSD-3-Clause
Snippet
function doFakeOnionThing(){
d = document.createElement('div');
d.innerHTML = "Warning: you appear to be browsing a <code>.onion</code> via Tor2Web. This is potentially dangerous.<p>See <a href='https://www.bentasker.co.uk/posts/blog/security/346-don-t-use-web2tor.html'>Don't use Web2Tor</a> for more information.</p>"
d.setAttribute('style','padding: 10px;font-weight: bold;margin-bottom: 50px;margin-top: 50px;border: 1.5px solid;');
document.body.insertBefore(d, document.body.childNodes[0]);
}
function detecttor2w() {
hn = document.location.hostname.toLowerCase();
if (hn.includes(".onion")){
s = hn.split(".")
if (!hn.endsWith(".onion") && (s.at(-2) == "onion" || s.at(-3) == "onion")){
doFakeOnionThing();
}
}
}
Usage Example
detecttor2w();