Opened 5 years ago

Closed 5 years ago

#7063 closed enhancement (fixed)

Make a query parameter to control opt-in/opt-out

Reported by: dcf Owned by: dcf
Priority: High Milestone:
Component: Archived/Flashproxy Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: #7166 Points:
Reviewer: Sponsor:

Description

Add a parameter that lets an admin choose whether a permission cookie is required before the proxy badge starts serving clients.

This also requires designing some kind of information/permission page, with yse/no buttons, that sets a cookie when you click yes. The permission page should also be able to stand on its own for direct linking, in case people want a link to promote opt-in.

https://lists.torproject.org/pipermail/tor-talk/2012-October/025891.html

Child Tickets

Attachments (1)

flashproxy_opt-in.jpeg (459.5 KB) - added by aallai 5 years ago.

Download all attachments as: .zip

Change History (13)

Changed 5 years ago by aallai

Attachment: flashproxy_opt-in.jpeg added

comment:1 Changed 5 years ago by aallai

flashproxy_opt-in.jpeg is a mock-up of what the opt-in web page could look like.

comment:2 Changed 5 years ago by dcf

Okay, nice. Please make a new branch with an HTML file called options.html. In the branch, make clicking on the badge bring up options.html (probably in a new window of small size). Put your text copy and buttons in the HTML page.

The goals of the options page are:

  • link to the info/demo page.
  • show your current opt-in status.
  • let you change your opt-in status.

For the wording, this is what I am thinking:

Flash proxy options
This page enables you to use your web browser as a proxy to help censored Internet users. When you click yes, your browser will act as a censorship circumvention proxy as long as you are viewing a page with the flash proxy badge: ![inactive badge.png]. For more information on this system click here.
Your current setting is: do not use my browser as a proxy. Click Yes below to change the setting.
![Yes] ![No]

If cookies are disabled, show the "current setting" message, but in place of the buttons, put the message about enabling cookies. It should be clear to someone with cookies disabled that the their setting is No.

Both buttons should be visible and clickable, whatever the setting, for those people who want to click on something just to make sure.

Let's set the cookie using JavaScript if possible, because that doesn't require special server support. If JavaScript is disabled, of course that's effectively an opt-out. "While JavaScript is disabled, your computer will not be a proxy. Enable JavaScript to change your options."

Go ahead and copy the crypto.stanford.edu CSS and make any changes you find necessary.

comment:3 Changed 5 years ago by dcf

Parent ID: #7166

comment:4 Changed 5 years ago by aallai

Status: newneeds_revision

I have an attempt at this in the opt-in branch of https://github.com/aallai/flashproxy.git.

Tested in Chrome, Safari, IE 9 and Firefox. I just remembered IE < 8 uses attachEvent instead of addEventListener, so we don't support them yet. I should fix that up tomorrow.

You can view the page at http://cs.mcgill.ca/~aallai2/options.html

Some details I wasn't sure about:

  • Name and expiration date on the cookie. These are variables in options.js.
  • Where the options page is hosted. Right now the link assumes it is in the same directory as the embed.html/flashproxy.js files.
  • top-gradient.gif is an image used for the background of crypto.stanford.edu. Don't know if we want non-essential images in the repository.
  • Pop-up window. I noticed IE has a handy option to keep javascript from opening windows. I don't know how many people have this turned on, but I went for a regular link to be safe.

Let me know how it is.

comment:5 Changed 5 years ago by aallai

I need to make a revision to the branch mentioned above. In its current status if there is another cookie with our cookie name as a substring of it's value we will consider our cookie to be present. 

  • Alex

comment:6 Changed 5 years ago by aallai

The change mentioned in the post above has been made.

  • Alex

comment:7 in reply to:  4 Changed 5 years ago by dcf

I pushed a copy of the branch with some changes to https://git.torproject.org/user/dcf/flashproxy.git branch opt-in.

Replying to aallai:

Tested in Chrome, Safari, IE 9 and Firefox. I just remembered IE < 8 uses attachEvent instead of addEventListener, so we don't support them yet. I should fix that up tomorrow.

Perhaps a onload and onclick handlers are better than addEventListener? I hate to have compatibility code for something this trivial.

  • Name and expiration date on the cookie. These are variables in options.js.

Let's call the cookie flashproxy-allow. The value is 0 or 1.

Expiration date should be never, or as close as we can get to it. If someone opts out, they want to stay opted out. Same for opt-in.

  • Where the options page is hosted. Right now the link assumes it is in the same directory as the embed.html/flashproxy.js files.

That's good, leave it there.

  • top-gradient.gif is an image used for the background of crypto.stanford.edu. Don't know if we want non-essential images in the repository.

I just deleted this file. You are right, I don't want files like this in the repository.

  • Pop-up window. I noticed IE has a handy option to keep javascript from opening windows. I don't know how many people have this turned on, but I went for a regular link to be safe.

Okay, but how about linking with target=_blank to create a new window?


Other things to please do:

  • The cookie needs to have three states: true, false, and unset. Clicking "No" shouldn't delete the cookie; it should keep it but with a false value. The reason for this is that I plan to change what the default is in flashproxy.js. Currently, if no cookie is present, the proxy will run, but that will probably change. However, if a "flashproxy=false" cookie is present, the proxy won't run, regardless of what the default is.
  • Put the options JavaScript code in options.html and delete options.js. The code is simple enough that I think it's easier if it's not in a separate file.
  • Kill all the disable_button code. The options page is going to replace it completely. Your commit should delete at least as much code as 008bc801 added.
  • Modify flashproxy.js to honor the cookie. If true: run. If false: don't run. If cookie disabled or not present: run.
  • Add an opt-in-only mode to flashproxy.js. Add a boolean query string parameter cookierequired. If true, the rules become: If true: run. If false: don't run. If cookie disabled or not present: don't run.

In general, I don't care very much about compatibility with old browsers. IE 8 can't even be a flash proxy, so it's not worth doing anything to support it. It's nice if it fails closed; i.e., doesn't say that you will be a proxy when you can't, but it isn't critical. Certainly it's not worth user-agent sniffing or anything like that.

This looks like a good link for safe cookie operations with escaping: https://developer.mozilla.org/en-US/docs/DOM/document.cookie.

comment:8 Changed 5 years ago by aallai

Status: needs_revisionneeds_review

I've made the changes talked about above at https://github.com/aallai/flashproxy.git, branch opt-in.

comment:9 Changed 5 years ago by dcf

Great, looks good. I'm running this branch now on the demo page. Please add some tests for parse_cookie_string to flashproxy-test.js and we'll call this done.

comment:10 Changed 5 years ago by aallai

Status: needs_reviewneeds_revision

I've added some tests to flashproxy-test.js, on the same branch. The tests assume the function will be used on strings formatted like document.cookie, i.e. it will never get something like "a =b;c=d;", since browsers would format that as "a=b; c=d". 

comment:11 Changed 5 years ago by dcf

Thanks, I have merged it. I'm leaving the ticket open for the moment so I remember to update the demo page to mention the query parameter.

comment:12 Changed 5 years ago by dcf

Resolution: fixed
Status: needs_revisionclosed
Note: See TracTickets for help on using tickets.