Javascript is still on with gold

[232qwer]

Hello,
Thank you for the app. I left a tip. Some onion sites block me because it say javascript is still on even though I have it on the gold setting with no javascript selected.
Please help

[tladesignz]

@232qwer, thanks for your support!
Indeed JavaScript is still on. In fact, I don't think we can suppress it, actually, and we inject some of our own to enable the context menu.
It's just that we're denying all other JavaScript from getting loaded and executed by injecting a very restrictive Content-Security-Policy HTTP header.

Not sure if I can help you there, but if you provide an example, I can take a look and maybe find a solution.

[ghost]

Hi, I also appreciate this app!
I’ve seen this be an issue from time to time, for instance when accessing a hidden site such as
http://flkzk2qjqe2yo5etsb7klxjihgrj7bi54k3iscccvkk7xbkif6x5etad.onion/
Hope that helps.

[tladesignz]

So, the technique to detect JavaScript is simple: a display: none CSS attribute is hidden inside a <noscript> tag.

I can completely disable JavaScript with the Content-Security-Header by removing sandbox allow-scripts. Then this technique works as expected.

However, this also disables our context menu on long-taps.

Seems like a good enough quick fix to solve the problem at hand.
However, that will change the browser behaviour for other people.
To get both, unchanged UI and support for this problem, this needs some UI toggle, where it is explained properly.
That opens up that can of security level worms again.

@mtigas, what's your take on this?

[wisheurs]

Hello, I can't find a solution to this problem could you help me?

[wisheurs]

??

[tladesignz]

Hello, I can't find a solution to this problem could you help me?

Sorry, this needs a UI redesign, which we currently don't have a budget for.

[webWHITEonion]

Hello, is this still relevant? because it is impossible to connect to some dark sites. also can't open a pop-up window? is this also related to a problem with Apple? see you soon

[webWHITEonion]

@tladesignz

[tladesignz]

@webWHITEonion Did you read all the comments? Is anything still unclear? Or did you just want to make the point that this is relevant and you want it solved? If so, ok, I got it.

[webWHITEonion]

Hello thanks for the reply I think you need to fix this still problem. see you soon @tladesignz

[m4mb01t4l14n0]

@tladesignz: instead of rethinking security levels, how about just adding one called "Pro Platinum Ultra" that completely disables JavaScript as you suggest (with the only change over "Gold" this one item)?

To @webWHITEonion and @wisheurs and @232qwer our organization is no longer funded for this project, unfortunately. @tladesignz donates his time for the small amount of work he can do. We understand the significance of this issue, certainly.

[tladesignz]

Thanks a lot to @mikezs, who coded up a viable solution which actually is good enough to solve your problem and doesn't create the need for more default security levels!

[mikezs]

@tladesignz You did all the hard work working out what the fix was, I just whipped up an implementation when I ran into this problem :) I haven't written Objective-C for many years, so was fun little task. Thanks for all your work on this, I'd be happy to implement more features in the future.