Opened 3 years ago

Closed 2 years ago

#21769 closed defect (implemented)

CSP blocks Tor Debian Instructions' Javascript

Reported by: tom Owned by: hiro
Priority: Medium Milestone:
Component: Webpages/Website Version:
Severity: Normal Keywords:
Cc: weasel Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

From irc:

3:14	twistero	The documentation page "Installing Tor on Debian/Ubuntu" does not display properly, https://www.torproject.org/docs/debian.html.en
3:15	twistero	Seems like Javascript on that page is incorrectly blocked
3:15	twistero	From Firefox's browser console: Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://www.torproject.org”).

https://www.torproject.org/docs/debian.html.en

Child Tickets

Change History (11)

comment:2 Changed 3 years ago by arma

weasel recommends that we break the script out to its own js file, rather than having it inline, in both of these pages.

Patches (to the webwml git repo) appreciated!

comment:3 Changed 3 years ago by weasel

I fixed docs/debian.html - I don't know think tor-relay-debian is affected. Please verify, then close.

comment:4 Changed 3 years ago by weasel

Cc: weasel added

comment:5 in reply to:  1 Changed 3 years ago by cypherpunks

Replying to arma:

Apparently the same issue affects https://www.torproject.org/docs/tor-relay-debian :
https://lists.torproject.org/pipermail/tor-relays/2017-March/012116.html

No, that post is saying they went to that page, and followed the link to https://www.torproject.org/docs/debian.html.en where the problem appeared. The tor-relay-debian page itself was and is fine.

comment:6 Changed 3 years ago by hiro

Ack. Patch following through

comment:7 Changed 3 years ago by hiro

This is actually happening in other pages. Ex:
https://www.torproject.org/getinvolved/volunteer.html.en
https://www.torproject.org/index.html.en
...

Blog too (but that's another story:
https://blog.torproject.org/blog/

Will look into this. It might be that we just have to clean up the JS since we have an inline policy.

comment:8 in reply to:  7 Changed 2 years ago by arma

Replying to hiro:

This is actually happening in other pages. Ex:
https://www.torproject.org/getinvolved/volunteer.html.en
https://www.torproject.org/index.html.en

How could that be the case, since those pages don't have javascript in them? Or am I wrong?

comment:9 Changed 2 years ago by hiro

This was related to a JS development extension I was using to debug the error. It was interpreting the headers returning from the page and throwing an error.

comment:10 Changed 2 years ago by arthuredelstein

FWIW, here is a list of inline scripts I found by grepping the website source code. These are presumably all getting blocked by our CSP. None of these scripts seems particularly important, but if someone has time these would probably be good to clean up.

// Offers search provider for torbutton (probably not needed):
./docs/torbutton/index.html.en:    <script type="text/javascript"> 
./docs/torbutton/en/index.wml:    <script type="text/javascript">

// Obsolete donation pages (superseded by donate.torproject.org):
./donate/thankyou.html.en:<script type="text/javascript" charset="utf-8">
./include/thankyou-head.wmi:<script type="text/javascript" charset="utf-8">

// Rule 41 campaign (this campaign is out of date because Rule 41 passed):
./rule-41/banner.html:     <script type="text/javascript">
./rule-41/email.html:  <script type="text/javascript">
./rule-41/email.html:  <script id="action_css" type="text/x-css-content">
./rule-41/petition.html:        <script type="text/javascript">
./rule-41/petition.html:        <script id="action_css" type="text/x-css-content
">

comment:11 Changed 2 years ago by hiro

Resolution: implemented
Status: newclosed
Note: See TracTickets for help on using tickets.