Redirection loop with disabled js on every page of blog.torproject.org

For several years everyone was able to post on https://blog.torproject.org without enabling JavaScript and other dangerous things.

Observed behaviour: can not post unless slider set to medium or low Expected behaviour: high security supported Steps to reproduce: try to post at https://blog.torproject.org with security slider on high

added blog component::webpages/blog owner::hiro priority::high severity::major status::new type::defect user-feedback labels

If somebody could identify what exactly is the setting that makes it not work, that will help move this ticket forward.

If I set my slider to "high" and just allow JavaScript on the blog it works. Otherwise I get a redirect loop (you can see that when you are opening the web console (Ctrl + Shift + K) and go to the Network tab.

Closed #22526 (moved) as duplicate.

Trac:
Cc: N/A to Dbryrtfbcbhgf

Trac:
Cc: Dbryrtfbcbhgf to Dbryrtfbcbhgf, gk

There is a problem with the menu bar. It needs js enabled to work. I am wondering if this can be fixed by having a custom admin template in drupal. The problem with building a custom admin template in drupal is that it might complicate things a bit. BTW we have this same issue with storm.

I have been investigating this a bit more. The status at the moment is the following.

The template we are using implements bootstrap w some JS, when Tor browser is used w/ high security level, posting to the blog (comments and new blog posts for registered users) is not possible.

This is part due to issues with tor-bootstrap template as well as issues with drupal admin template.

I am trying to see if it is possible to solve the comments side of this issue, so that users would be allowed to post with high security level in Tor browser.

To do this I am specifically trying to strip the problematic JS while I fix the other big and small design issues.

The admin part is a bit more complicated to solve instead. I might have a look around to see if I can find a no-JS admin template. If not we should consider recoding the admin template ourselves, which might be a big effort.

Unfortunately we have inherited this issue from the old tor labs template that was adapted for the blog.

Trac:
Status: new to accepted

I don't need js enabled to post at blog.torproject.org. I see a blog comment of mine from one month ago. My most significant prefs change from TBB default is allowing history (I reset this in Firefox prefs GUI). Other prefs I change seem even less related to js - disable trim urls, wrap lines in view source, minimum font size, and a few others like those. I also set noscript options strictly. I change those after setting security slider to highest.

The only "strange" behavior I experience by the new blog is that after I have posted a comment (as reply or a new comment), tor blog won't show the "reply" link on comments. But this happens in only the same TBB tab. Loading the blog page in a new tab fixes that "strange" defect.

To avoid confusion: I posted only comment 7 and this addendum comment on this ticket.

#25698 (moved) is a duplicate.

#27477 (moved) as well.

it is really bad the we encourage / force users to turn on js without even a warning (just like mozilla).

i was looking for the code, but did not find it. is your drupal under git somewhere?

Since yesterday all pages permanently reload (TB 8.5a1).

Trac:
Summary: Tor Browser 7.0 can't post on https://blog.torproject.org unless security slider is lowered to Redirection loop with disabled js on every page of blog.torproject.org

Trac:
Keywords: N/A deleted, blog, user-feedback added

#32312 (moved) is a duplicate.

Trac:
Cc: Dbryrtfbcbhgf, gk to Dbryrtfbcbhgf, gk, qwertyu
Status: accepted to new

#30576 (moved) is a duplicate

mentioned in issue #25698 (moved)

mentioned in issue #27477 (moved)

mentioned in issue #30576 (moved)

mentioned in issue #32312 (moved)