Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disabling or only partially enabling JavaScript causes problems #7

Open
kloesing opened this issue Feb 18, 2012 · 2 comments
Open

Disabling or only partially enabling JavaScript causes problems #7

kloesing opened this issue Feb 18, 2012 · 2 comments
Labels
bug

Comments

Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
@kloesing @hellais @bastik-1001
@kloesing
Copy link
Contributor

@kloesing kloesing commented Feb 18, 2012

(Copied from https://trac.torproject.org/projects/tor/ticket/5168)

No JavaScript.

No content is seen, beside the black bar (top) and the footer (The Tor Project - 2012) which appears at the top.
Search has no function 


JavaScript for github.com

Content is shown, footer is under the content
Search returns "Backend error! The backend server replied with an error to your query. This probably means that you did not properly format your query. Or that you just are trying to fuzz my web app hoping to pwn me. Good luck! ;)" 


JavaScript for github and datasource, no external resources are allowed to load

Content is shown
Search returns "Backend error! The backend server replied with an error to your query. This probably means that you did not properly format your query. Or that you just are trying to fuzz my web app hoping to pwn me. Good luck! ;)" 


JavaScript for github and datasource, no restriction of external sources (or datasource can be accessed)

Content is shown, footer is under content
Search works (looks pretty cool, and the results even cooler)

If there's anything that can be improved on Onionoo's side, please open a ticket at https://github.com/kloesing/Onionoo/issues .
@hellais
Copy link
Owner

@hellais hellais commented Feb 19, 2012

We can't provide the same functionality if the user is disabling parts of JavaScript from NoScript.

This said probably I can write something that detects that the user is under strict JavaScript rules and display an error message that corresponds to that.

The only thing that could improve this is if we hosted the backend on the same machine that runs TorStatus, this way there would be no SOP violation and cases 2 and 3 would not occur.

@bastik-1001
Copy link

@bastik-1001 bastik-1001 commented Feb 19, 2012

Telling that JavaScript is required should help a lot. NoScript has it's uses, but when one gets told that the a site does not work without JavaScript and that's easy to recognize, users can be convinced to allow JavaScript from those domain/ resources. NoScript is still useful, because it still checks for XSS and still disables scripting for other non-white-listed resources.

It's pretty common to load data from other resources. My "test" involved the Firefox addon "Request Policy", which might not be used very often because it's often breaking websites. It shows what can happen when the datasource can't be accessed due to a firewall or hosts entry. I did not expect this to be common so maybe the error just could reflect it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment