403 Forbidden when using Onion address

sudoer-777

I can access the home page and login page, but once I login I get 403 Forbidden. I cannot access the non-onion URL over Tor either.

zer0

sudoer-777 it does work. Sometime it's required to try a new identity unfortunately

antonio

Hi there, I've just tried both in Tor, the non-onion URL and onion URL. Logged-in in both and working fine.
Is it still giving you a 403? could you share a screenshot?

sudoer-777

antonio

Using the onion URL, I can access the login page but I can't log in:

When I use the regular URL over Tor, I can't even access the home page:

I'm using LibreWolf over Privoxy with uBlock Origin.

pixel

Typically a "403 Forbidden" indicates that there is a csrf issue with the request so it fails the verification.
The csrf data is stored in a cookie, and then also in the page - which is sent when you click login and then it validates the two to ensure they match.

The "Error: Forbidden" is a separate thing, which is coming from our hosting provider (gcp), they block vpns and things like that unfortunately which then yields this page.
We do want to solve this specific case if possible of course.

sudoer-777

pixel I just saw that I get this in the console:

Which is probably due to the connection to Privoxy using http not https. I can log into Ramble and Dread though. I'm trying to install Tor browser and test it there so I'll see if it's any different. Also trying to see if there's a way to make Privoxy use https and generate certificates.

silvenga

sudoer-777 I think that's the issue then, the onion URL's shouldn't use HTTPS (and thusly shouldn't require a secure cookie).

My guess is that using Tor Browser would work (or any version of Firefox with the patches from the Tor project) - and it's LibreWolf applying modern secure defaults (that weren't made for a Tor Internet). I'm assuming Tor Browser knows that websites like (or might be required by law or compliance) to set the secure cookie flag, and ignores it under onion links.

For completeness, HTTPS over tor:

Doesn't help with server trust, as the onion URI is the public key of the hidden service.
Doesn't help with confidentiality, as all hidden service communication is already encrypted, end-to-end.

pixel

Hi there @sudoer-777,

Just following up - were you able to get this resolved?

sudoer-777

pixel I couldn't get Tor Browser installed on aarch64 Linux, I just got it on my phone and can confirm Kagi works there. I still need to figure out how to fix it when using Privoxy/InviZible Pro with a normal browser due to the secure cookie issue (I used LibreWolf on Linux and Cromite on Android).

sudoer-777

pixel Actually I just fixed it in LibreWolf by setting dom.securecontext.allowlist_onions to true in about:config

pixel

Awesome - good to know.
Glad that it works for you now.