Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Architecture: Strip all Javascript from static html archives by default #237

Closed
3 of 8 tasks
noirscape opened this issue May 9, 2019 · 2 comments
Closed
3 of 8 tasks

Architecture: Strip all Javascript from static html archives by default #237

noirscape opened this issue May 9, 2019 · 2 comments
Labels
size: hard status: idea-phase Work is tentatively approved and is being planned / laid out, but is not ready to be implemented yet touches: configuration touches: data/schema/architecture why: functionality Intended to improve ArchiveBox functionality or features why: security Intended to improve ArchiveBox security or data integrity

Comments

@noirscape
Copy link

Type

  • General Question or Disussion
  • Propose a brand new feature
  • Request modification of existing behavior or design

What is the problem that your feature request solves

Some websites use javascript to redirect any saved pages to the original site, thereby beaking archiving of pages on the site in question.

Describe the ideal specific solution you'd want, and whether it fits into any broader scope of changes

Ideally, the option to scan the javascript in each downloaded file to prevent setting window.location in any form.

Since JS can be obfuscated in all sorts of forms, perphaps an option to simply strip out javascript from downloaded files could also be useful slash more reasonable to implement.

What hacks or alternative solutions have you tried to solve the problem?

Currently, the only real solution is to open up the offending HTML files myself and remove the javascript causing the redirects from the <script> tags.

How badly do you want this new feature?

  • It's an urgent deal-breaker, I cant live without it
  • It's important to add it in the near-mid term future
  • It would be nice to have eventually
  • I'm willing to contribute to development / fixing this issue
  • I like ArchiveBox so far / would recommend it to a friend
@pirate
Copy link
Member

pirate commented May 18, 2019
edited
Loading

Yeah we're definitely adding this soon, it's a huge security issue currently to allow archived pages to run JS in a shared context, especially when opened via the filesystem.

I've officially made this a blocker to v0.4 due to the urgency: #207 (comment) but I cant promise I'll get around to it soon. In the meantime I'm adding notices to the README and wikis telling people not to use it for private content and to beware of potential JS execution reading from the filesystem / XSS-ing the archive.

This issue has evolved over time and can be tracked here now: #239

@pirate pirate added touches: data/schema/architecture why: functionality Intended to improve ArchiveBox functionality or features touches: configuration size: hard why: security Intended to improve ArchiveBox security or data integrity status: idea-phase Work is tentatively approved and is being planned / laid out, but is not ready to be implemented yet labels May 20, 2019
@pirate pirate changed the title Request: Disable Javascript Architecture: Disable Javascript on replays / wget archives May 20, 2019
@pirate pirate changed the title Architecture: Disable Javascript on replays / wget archives Architecture: Optionally disable all Javascript in static html archives May 20, 2019
@pirate pirate changed the title Architecture: Optionally disable all Javascript in static html archives Architecture: Optionally strip all Javascript from static html archives May 20, 2019
@pirate pirate changed the title Architecture: Optionally strip all Javascript from static html archives Architecture: Strip all Javascript from static html archives by default May 20, 2019
@pirate pirate mentioned this issue May 20, 2019
Merged
@pirate pirate mentioned this issue Mar 18, 2020
Closed
@kotovalexarian kotovalexarian mentioned this issue Aug 9, 2022
Closed
@pirate
Copy link
Member

pirate commented Jan 20, 2024

Our new solution moving forward is likely going to involve serving untrusted JS from a different port + adding csp/cors/etc. headers, as JS sanitizing /stripping is inherently fraught with security risk and doesn't provide the best user experience.

Follow here for updates: #239

@pirate pirate closed this as completed Jan 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
size: hard status: idea-phase Work is tentatively approved and is being planned / laid out, but is not ready to be implemented yet touches: configuration touches: data/schema/architecture why: functionality Intended to improve ArchiveBox functionality or features why: security Intended to improve ArchiveBox security or data integrity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pirate @noirscape