Opened 2 years ago

Last modified 7 weeks ago

#22530 accepted defect

Redirection loop with disabled js on every page of blog.torproject.org

Reported by: cypherpunks Owned by: hiro
Priority: High Milestone:
Component: Webpages/Blog Version:
Severity: Major Keywords: user-feedback, blog
Cc: Dbryrtfbcbhgf, gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

For several years everyone was able to post on https://blog.torproject.org without enabling JavaScript and other dangerous things.

Observed behaviour: can not post unless slider set to medium or low
Expected behaviour: high security supported
Steps to reproduce: try to post at https://blog.torproject.org with security slider on high

Child Tickets

Change History (12)

comment:1 Changed 2 years ago by arma

If somebody could identify what exactly is the setting that makes it not work, that will help move this ticket forward.

comment:2 Changed 2 years ago by gk

If I set my slider to "high" and just allow JavaScript on the blog it works. Otherwise I get a redirect loop (you can see that when you are opening the web console (Ctrl + Shift + K) and go to the Network tab.

comment:3 Changed 2 years ago by gk

Cc: Dbryrtfbcbhgf added

Closed #22526 as duplicate.

comment:4 Changed 2 years ago by gk

Cc: gk added

comment:5 Changed 2 years ago by hiro

There is a problem with the menu bar. It needs js enabled to work. I am wondering if this can be fixed by having a custom admin template in drupal. The problem with building a custom admin template in drupal is that it might complicate things a bit.
BTW we have this same issue with storm.

Last edited 2 years ago by hiro (previous) (diff)

comment:6 Changed 2 years ago by hiro

Status: newaccepted

I have been investigating this a bit more. The status at the moment is the following.

The template we are using implements bootstrap w some JS, when Tor browser is used w/ high security level, posting to the blog (comments and new blog posts for registered users) is not possible.

This is part due to issues with tor-bootstrap template as well as issues with drupal admin template.

I am trying to see if it is possible to solve the comments side of this issue, so that users would be allowed to post with high security level in Tor browser.

To do this I am specifically trying to strip the problematic JS while I fix the other big and small design issues.

The admin part is a bit more complicated to solve instead. I might have a look around to see if I can find a no-JS admin template. If not we should consider recoding the admin template ourselves, which might be a big effort.

Unfortunately we have inherited this issue from the old tor labs template that was adapted for the blog.

Last edited 2 years ago by hiro (previous) (diff)

comment:7 Changed 20 months ago by cypherpunks

I don't need js enabled to post at blog.torproject.org. I see a blog comment of mine from one month ago.
My most significant prefs change from TBB default is allowing history (I reset this in Firefox prefs GUI).
Other prefs I change seem even less related to js - disable trim urls, wrap lines in view source, minimum font size, and a few others like those.
I also set noscript options strictly.
I change those after setting security slider to highest.

The only "strange" behavior I experience by the new blog is that after I have posted a comment (as reply or a new comment), tor blog won't show the "reply" link on comments. But this happens in only the same TBB tab. Loading the blog page in a new tab fixes that "strange" defect.

comment:8 Changed 20 months ago by cypherpunks

To avoid confusion:
I posted only comment 7 and this addendum comment on this ticket.

comment:9 Changed 16 months ago by gk

#25698 is a duplicate.

comment:10 Changed 10 months ago by traumschule

#27477 as well.

it is really bad the we encourage / force users to turn on js without even a warning (just like mozilla).

i was looking for the code, but did not find it. is your drupal under git somewhere?

comment:11 Changed 10 months ago by traumschule

Summary: Tor Browser 7.0 can't post on https://blog.torproject.org unless security slider is loweredRedirection loop with disabled js on every page of blog.torproject.org

Since yesterday all pages permanently reload (TB 8.5a1).

comment:12 Changed 7 weeks ago by wayward

Keywords: user-feedback blog added
Note: See TracTickets for help on using tickets.