evilaliv3
commented
11 years ago Closed evilaliv3 closed 11 years ago
evilaliv3
commented
11 years ago 
fpietrosanti
commented
11 years ago mmmmm i don't know if this is a good approach, as this is going to leave traces of access to globaleaks indefinitely into the browser's caches.
If we are going to have "anti-forensics" privacy improvements, the cache should expire, at least within a very reasonable amount of time.
The question is: in which specific context of end-user use experience it is useful to cache the script.js file given that it will be loaded only once by the whistleblower?
Isn't this only an issue for the developer while "testing globaleaks" when you need to reload-it many times?
evilaliv3
commented
11 years ago @fpietrosanti it happens for each new tab opened as the browser is explicitly forced to not keep any cache.
do you remember the very slow loading of demo.globaleaks.org? now it was a lot more slow as the scripts.js embeds 10~ complete translations and a lot of code so it weights ~2MB.
i think this is needed now and leaking trace in the browser of the application access (js,css, theme images) is nothing more than leaking the access to the url/domain.
evilaliv3
commented
10 years ago this ticket has been superseded by https://github.com/globaleaks/GlobaLeaks/issues/716 where we decided to disable caching also on static files.
commit https://github.com/globaleaks/GLBackend/commit/efa193c9e226e6e7e4547a1f514a53b49f8c61b1 has been reverted in https://github.com/globaleaks/GLBackend/commit/b7a173765e44aab130ab630be21b05965563df28
Currently for security reasons globaleaks inject the following HTTP headers: self.set_header("Cache-control", "no-cache, no-store") self.set_header("Pragma", "no-cache") self.set_header("Expires", "Mon, 01-Jan-1990 00:00:00")
this headers must be injected only on contents related to application data (dynamic data/file download etc...)
but the cache must be re-enabled for js,html and other files inside staticdir so that browser can do caching of the application code (currently the embedded scripts.js weights ~2MB as it always embeds all translations regardless of the configuration of the application)