CloudFlare had a much more elegant solution: the Alt-Svc HTTP header [1]. It is entirely transparent to the user. Security is guaranteed because it uses the original SSL/TLS certificate for exchange (that is, on top of the usual safety guarantees provided by a Tor hidden service).
Sadly they stopped doing that a while ago [2]. If anyone has insider knowledge about the reason behind, I would be really interested to hear about it.
Cloudflare is still using the Alt-Svc HTTP header. Use Ctrl+Shift+J to see the 'Browser Console' which contains logs in the form "Alternate Service Mapping found: https://blog.cloudflare.com:-1 to https://cflaresuje2rb7w2u3w43pn4luxdi6o7oatv6r2zrfb5xvsugj35....
Cloudflare only sends the header to clients it detects as Tor Browser. If you have tweaked your config or are running an older version, it may not detect correctly. Even if it had previously worked.
This technique is not "better than" the "Onion-Location" approach. They complement well. Use the 'Alt-Svc' header for all users with Tor Browser's user agent and send "Onion-Location" to all users. If a user decides to opt for the .onion address, they can. But they don't have to.
It’s so transparent that Tor Browser users cannot actually tell if Cloudflare’s Alt-Svc “Onion Routing” is actually working. Try to determine how your traffic was routed while browsing a site with Alt-Svc enabled.
A user should plainly know if _any_ traffic exited the Tor network and that is not always the case. (See mixed content on most HS mirrors of major sites like NYTimes)
Cloudflare only sends the header to clients it detects as Tor Browser. If you have tweaked your config or are running an older version, it may not detect correctly. Even if it had previously worked.
This technique is not "better than" the "Onion-Location" approach. They complement well. Use the 'Alt-Svc' header for all users with Tor Browser's user agent and send "Onion-Location" to all users. If a user decides to opt for the .onion address, they can. But they don't have to.