Via replacement plan

Security considerations

• Strip auth headers (Cookie, Authorization, etc.)
• Rewrite Content-Security-Policy header (Genius uses the “base” property to allow for a <base> tag to be injected.)
• Need to resolve hostnames first and eliminate RFC1918 nets
• Strip Referer?
• Client-side: disable forms, cookies(?)

Usability considerations

• Update all links to point to via
• Override history.pushState?
• Detect PDF content type and replace with PDF viewer

Potential design

1. Request arrives
2. DNS check
3. Rewrite request
4. Proxy to upstream
5. Check against content-type handlers: if unknown pass straight through
   1. PDF – render out PDF viewer HTML (templated).
   2. HTML – inject small tag payload at appropriate point
6. Profit?

Rewrite approach

1. Inject a <base> tag with an href linking to the original URL. This will hopefully ensure that external resources load correctly (and directly from the original site rather than through via), and allow in-page ajax calls to work.

2. Inject a script that will progressively enhance the via user experience by, for example:

   • intercepting click events on anchors, and rewriting the location on the fly to keep the user within via.
   • disable any forms with method="POST" and ideally display an explanation when the user tries to interact with them.
   • possibly monkeypatch the HTML5 history APIs?

3. ???