Opened 5 years ago

Closed 5 years ago

#7811 closed enhancement (fixed)

Options on Flashproxy html; Question?

Reported by: bastik Owned by: dcf
Priority: Medium Milestone:
Component: Archived/Flashproxy Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The options page links to "http :crypto...." instead of "https: c..." (shouldn't matter that much, but IMO SSL is better than no SSL)

When no cookie is found I see:

"Your current setting is: unspecified. Your browser may or may not run as a proxy, depending on how the website administrator has configured the badge. Click the buttons below to change your setting."

With buttons [Yes] or [No].

I'm missing a question to answer. Something like:

"Do you want your browser to act as an proxy?" (Or similar)

Maybe you should include that you can change the setting anytime you want. (In theory I could click YES, the options says "Thank you!", and clicking on the badge would give me "Thank you!", not the options. I couldn't expect to be able to change the setting, in theory. I know I could, and even if not it's a cookie.)

After selecting an answer it seems clearer to me. You do this if you wanna not do it click THIS button.

(I know I can be a plague, but I want this to be not misinterpreted. I want people to participate who would maybe click no if they don't get what this all about.)

(thank you for implementing the options)

Child Tickets

Attachments (2)

FP_Option_htm_proxy-question_v1.patch (296 bytes) - added by bastik 5 years ago.
Add line with question
first outcome.patch (250 bytes) - added by bastik 5 years ago.
This was the first output, but it's not formated like diff

Download all attachments as: .zip

Change History (7)

comment:1 Changed 5 years ago by dcf

Status: newneeds_revision

The options page links to "http :crypto...." instead of "https: c..." (shouldn't matter that much, but IMO SSL is better than no SSL)

This is a good but stupid reason for this. The proxy doesn't work if the embedding page uses https; the reason for this is that unencrypted WebSockets are not allowed from an encrypted page. Our WebSockets are unencrypted because the clients do not have CA certs. We use the src="//crypto.stanford.edu/..." trick to avoid causing mixed-content warnings on the enclosing page, but the proxy badge won't actually work. I don't know if cookies set on https pages can be read by later http connections, but if not, then the option page should be plain http.

Do you mind making a patch for the wording change you suggest?

Thank you again for your valuable input.

comment:2 in reply to:  1 Changed 5 years ago by bastik

Replying to dcf:

The options page links to "http :crypto...." instead of "https: c..." (shouldn't matter that much, but IMO SSL is better than no SSL)

(...) The proxy doesn't work if the embedding page uses https; (...)

The more you know... I did not knew it and typed https... and bookmarked it.

Maybe you should mention it somewhere if not already mentioned. (I may overlooked it.)

HTTPS-Everywhere (at least 3.1) has a rule for stanford.edu; therefore http :crypto... loads as https :crypto

Do you mind making a patch for the wording change you suggest?

I'll attach a patch. Good that it's html. I never did a patch before. My first guess was that doing it manually would work. Well I did not know the format of diff, so I changed the html file.

Windows doesn't have diff (at least I don't think so). However I used WinMerge (I used it back then to compare files) to create the patch. Not as good as diff looks.

Thank you again for your valuable input.

No problem.

Changed 5 years ago by bastik

Add line with question

Changed 5 years ago by bastik

Attachment: first outcome.patch added

This was the first output, but it's not formated like diff

comment:3 Changed 5 years ago by bastik

I only attached the second file (first outcome) to see if it could be a working patch for you.

I modified the first upload (the actual patch) by editing the first two lines. (It contained a full path)

All in all I could have created the patch manually. (Now that I know how it has to look like.) Please tell me if anything is missing. (Header, or whatever.)

Oh and it appears to be a proxy rather than an proxy (I used "a proxy" in the patch).

comment:4 in reply to:  1 Changed 5 years ago by bastik

Replying to dcf:

(...) I don't know if cookies set on https pages can be read by later http connections, but if not, then the option page should be plain http.

The cookie that is set on the option page is valid for any connection, not only secured ones. (The cookie isn't a secure cookie)

To test this I was on the https version of the option page and set the cookie. The http version can read the cookie without any problem.

comment:5 Changed 5 years ago by dcf

Resolution: fixed
Status: needs_revisionclosed

I have applied something similar to what you did in your patch.

In the future, it is easier if you make a patch by downloading the source code using
git clone https://git.torproject.org/flashproxy.git
then make your changes and commit with
git commit -a
and then make a patch with
git format-patch HEAD^

As for HTTP versus HTTPS, the options page is a relative link, so it will use HTTP or HTTPS according to the embedding page, which I think is as it should be.

Note: See TracTickets for help on using tickets.