search

hellais / TorStatus

8 stars 7 forks source link

Disabling or only partially enabling JavaScript causes problems #7

Open kloesing opened 12 years ago

kloesing commented 12 years ago

(Copied from https://trac.torproject.org/projects/tor/ticket/5168)

No JavaScript.

No content is seen, beside the black bar (top) and the footer (The Tor Project - 2012) which appears at the top.
Search has no function 

JavaScript for github.com

Content is shown, footer is under the content
Search returns "Backend error! The backend server replied with an error to your query. This probably means that you did not properly format your query. Or that you just are trying to fuzz my web app hoping to pwn me. Good luck! ;)" 

JavaScript for github and datasource, no external resources are allowed to load

Content is shown
Search returns "Backend error! The backend server replied with an error to your query. This probably means that you did not properly format your query. Or that you just are trying to fuzz my web app hoping to pwn me. Good luck! ;)" 

JavaScript for github and datasource, no restriction of external sources (or datasource can be accessed)

Content is shown, footer is under content
Search works (looks pretty cool, and the results even cooler)

If there's anything that can be improved on Onionoo's side, please open a ticket at https://github.com/kloesing/Onionoo/issues .

hellais commented 12 years ago

We can't provide the same functionality if the user is disabling parts of JavaScript from NoScript.

This said probably I can write something that detects that the user is under strict JavaScript rules and display an error message that corresponds to that.

The only thing that could improve this is if we hosted the backend on the same machine that runs TorStatus, this way there would be no SOP violation and cases 2 and 3 would not occur.

bastik-1001 commented 12 years ago

Telling that JavaScript is required should help a lot. NoScript has it's uses, but when one gets told that the a site does not work without JavaScript and that's easy to recognize, users can be convinced to allow JavaScript from those domain/ resources. NoScript is still useful, because it still checks for XSS and still disables scripting for other non-white-listed resources.

It's pretty common to load data from other resources. My "test" involved the Firefox addon "Request Policy", which might not be used very often because it's often breaking websites. It shows what can happen when the datasource can't be accessed due to a firewall or hosts entry. I did not expect this to be common so maybe the error just could reflect it.