Open github-user-1 opened 7 years ago
cambecc
commented
7 years ago If you can see the globe, then the main download is working. It's the loading of data from another domain that causes the globe to be blank. What does the javascript console of your browser say? Perhaps tor is interfering with the CORS headers on the HTTP response.
Cloudflare tracking is a consequence of keeping the site running. I cannot afford bandwidth costs otherwise. :(
github-user-1
commented
7 years ago What I see is the following error message (javascript; translated):
Cross-Origin request blocked: Same-Source-Rule forbids the reading of external ressource from https://gaia.nullschool.net/data/gfs/current/current-wind-surface-level-gfs-0.5.epak. (Reason: CORS-Header 'Access-Control-Allow-Origin' missing).
AnachronicNomad
commented
7 years ago This would probably occur with the browser which comes bundled with the download from the TOR Project. Your browser is preventing what it thinks is a XSRF (Cross Site Request Forgery). I think this is occurring because technically speaking, {{gaia.nullschool.net}} is a different domain than {{earth.nullschool.net}}.
Your browser, since it apparently supports CORS, is saying that it might need the web application to add the 'Access-Control-Allow-Origin' field enabled in the OPTIONS component of the request handler on the server, as described here at StackOverflow.
However, for the modified Firefox ESR that's used for the Tor Browser, all these options may be disabled by default. It's a pretty big security concern, given developments over the past few years, for your browser to cede control of Cross-Origin Resource Sharing to the server if you're using Tor :)
Can you please (if you're able to) describe other components of your environment, including:
It may be possible to circumvent all this entirely and additionally improve performance by using WebSockets to pipe/stream the weather data through (from the backend perspective), and have the server employ an equivalent of the implementation of push notifications we see in many other, much newer web services. This would require a considerable amount of work and reconfiguration of the application, from what I understand of a cursory glance through the repo. Looking at the commit history, I don't think WebSockets were mature enough when this project was created, so it would be interesting to see if the service is improved by using WS instead of straight up AJAX requests for the full .epk of all weather data when the service is starting for a connected session, or a different layer/projection is chosen.
However, this would invalidate your use of the Tor Browser in the first place - WebSockets work by forcing a TCP Keep-Alive for the connection. This would keep all your connections forced through a single path through the Tor relay network, de-nonymizing all of your traffic. Is using the Tor Browser absolutely necessary for you to access {{earth.nullschool.net}}? From what I remember of how the Tor Browser Bundle works (my memory is very faulty, and from several years ago), you can specify settings for a local loopback proxy server that you point your Tor Browser to via the in-browser proxy settings. Then, when you open or use another browser (or I think even the same browser, but in a different process - the details get hazy here), none of that traffic goes through the Tor network anyway - meaning that you could use the web service without a problem. I would implore you to consider this - blasting the Tor network with this kind of use hurts performance for users like political dissidents and journalists. Furthermore, it somewhat anonymizes your own traffic from your ISP's perspective, because you're making several legitimate and high volume requests that aren't to the onion network.
Have a day! Let us know how it turns out!
github-user-1
commented
7 years ago Thanks for your extensive comments! I bit of additional information from my side:
Broswer: Firefox 52.0 (32 bit) and MS Edge 38 on Windows The SSL certificate is validated (COMODO CA Limited)
I do have Tor running on my router (version 0.2.9.9) and all internet tcp (and udp dns) traffic is sent through it by standard (I can change my netfilters to bypass Tor though - doing that for cloudflare I see 'earth' is working fine right away with Firefox and Edge; routing through tor again it fails with both browsers again).
It is not absolutely necessary for me personally to access earth.nullschool.net via tor - but I'm promoting Tor and in fact there should be much more "normal" traffic on tor (the network has lots of spare capacity currently) which helps also those with a very high demand of anonymity. So for me personally it's rather educational, getting experience, learning more about networks and about possibilities of increased anonymity. In the long term I think it will be nice to have more websites working through tor (or even as best case have a .onion webpresence).
AnachronicNomad
commented
7 years ago I agree with your sentiments! I am a huge fan of the prospect of the TOR network to be used in canonical and open ways - especially since it would allow for the possibility of better fault-tolerant routing above and beyond how the TCP/IP network stack has been used so far by ISPs.
However - I don't think that this is really an open issue with this project. You should consider marking this issue resolved. I would encourage that you bring this information to relevant mailing lists for the TOR project, since it would feed into an interesting discussion about how contemporary emergent web technologies and patterns can be better supported and used within the context of TOR.
If you find yourself in a position of requiring use of the TOR network, you should not use netfilters to whitelist all outbound requests to Cloudflare servers. This rule may be applied to anybody who inadvertently uses your router as an endpoint if you have it set up as a "Onion Bridge" or "Onion Router". Instead, consider adding specific domain names; unless you find that your issue persists with other services that are hosted on Cloudflare. There are a variety of ways of implementing this kind of configuration style, including specifying a local whitelist on a machine that gets forwarded to your router so you can decouple these configuration settings, but it does not bear going into here.
I wish you success in your endeavors!
timmc
commented
5 years ago For what it's worth, I checked the website today via TAILS 3.11, and it worked. (Tor Browser 8.0.4; based on Firefox 60.4.0esr.) There's one rendering glitch wherein the background is white instead of black outside the projection rectangle, but the functionality is all there.
ETA: The white background is a result of enabling privacy.resistFingerprinting, specifically if privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts is also true.
rinku16
commented
4 years ago If you can see the globe, then the main download is working. It's the loading of data from another domain that causes the globe to be blank. What does the javascript console of your browser say? Perhaps tor is interfering with the CORS headers on the HTTP response.
Cloudflare tracking is a consequence of keeping the site running. I cannot afford bandwidth costs otherwise. :(
Hi please see on my problem of using the earth null school demo in my localhost in link https://github.com/cambecc/earth/issues/103#issue-514399758
Unfortunately, the website earth.nullschool.net is not reachable from the tor network. I can see that cloudflare is (apart from the captcha) intercepting the https connection (CN is sni59095.cloudflaressl.com). Once the website is loaded only the globe is shown, but no data (error message is 'Server down'); it might be cloudflare again blocking any connection to further servers (?).
It might not be an easy or quick task, however I think it would be just great to be able to reach the wonderful website from the anonymous web as well (without cloudflare tracking and real https)...