diff options
author | Micah Lee <micah@micahflee.com> | 2019-02-14 09:31:39 -0800 |
---|---|---|
committer | Micah Lee <micah@micahflee.com> | 2019-02-14 09:31:39 -0800 |
commit | dd3f2d60b6e99f83c1fb0f80026e608719588590 (patch) | |
tree | d0972805b2aa47651e1e345efafecb899e5ac2d2 | |
parent | 1c16b092a3c6c433326c82fde72c6bb0c59522ae (diff) | |
download | onionshare-dd3f2d60b6e99f83c1fb0f80026e608719588590.tar.gz onionshare-dd3f2d60b6e99f83c1fb0f80026e608719588590.zip |
Update the noscript upload instructions on the receive mode upload page, and add separate page for instructions to disable NoScript XSS setting
-rw-r--r-- | onionshare/web/web.py | 8 | ||||
-rw-r--r-- | share/static/css/style.css | 7 | ||||
-rw-r--r-- | share/templates/receive.html | 17 | ||||
-rw-r--r-- | share/templates/receive_noscript_xss.html | 35 |
4 files changed, 59 insertions, 8 deletions
diff --git a/onionshare/web/web.py b/onionshare/web/web.py index 183c512c..010702be 100644 --- a/onionshare/web/web.py +++ b/onionshare/web/web.py @@ -132,6 +132,14 @@ class Web(object): self.force_shutdown() return "" + @self.app.route("/noscript-xss-instructions") + def noscript_xss_instructions(): + """ + Display instructions for disabling Tor Browser's NoScript XSS setting + """ + r = make_response(render_template('receive_noscript_xss.html')) + return self.add_security_headers(r) + def error404(self): self.add_request(Web.REQUEST_OTHER, request.path) if request.path != '/favicon.ico': diff --git a/share/static/css/style.css b/share/static/css/style.css index 5cf5245e..daaa9ce4 100644 --- a/share/static/css/style.css +++ b/share/static/css/style.css @@ -199,10 +199,15 @@ div#noscript { color: #e55454; padding: 1em; line-height: 150%; - max-width: 700px; + max-width: 900px; margin: 100px 2em 0 2em; } div#noscript a, div#noscript a:visited { color: #e27f7f; } + +.disable-noscript-xss-wrapper { + max-width: 900px; + margin: 0 auto; +} diff --git a/share/templates/receive.html b/share/templates/receive.html index 02c65cc2..9f8201c7 100644 --- a/share/templates/receive.html +++ b/share/templates/receive.html @@ -25,7 +25,7 @@ {% if messages %} <ul class=flashes> {% for category, message in messages %} - <li class="{{ category }}">{{ message }}</li> + <li class="{{ category }}">{{ message }}</li> {% endfor %} </ul> {% endif %} @@ -34,15 +34,18 @@ </form> <!-- We are not using a <noscript> tag because it only works when the security slider - is set to Safest, not Safer. --> + is set to Safest, not Safer. + + For more information about the upload issue: + https://github.com/micahflee/onionshare/issues/899 + --> <div id="noscript"> <p> - <strong>Warning:</strong> Due to a bug in Tor Browser and Firefox, if you - want to upload a file bigger than 50mb, you must set the Tor Browser + <strong>Warning:</strong> Due to a bug in Tor Browser and Firefox, uploads + sometimes never finish. To upload reliably, either set your Tor Browser <a rel="noreferrer" target="_blank" href="https://tb-manual.torproject.org/en-US/security-slider/">security slider</a> - to Standard. Otherwise your upload will never finish.</p> - - <p>If you plan on only uploading small files, your current settings are fine.</p> + to Standard or + <a target="_blank" href="/noscript-xss-instructions">turn off your Tor Browser's NoScript XSS setting</a>.</p> </div> </div> </div> diff --git a/share/templates/receive_noscript_xss.html b/share/templates/receive_noscript_xss.html new file mode 100644 index 00000000..bf846b03 --- /dev/null +++ b/share/templates/receive_noscript_xss.html @@ -0,0 +1,35 @@ +<!DOCTYPE html> +<html> + <head> + <title>OnionShare</title> + <link href="/static/img/favicon.ico" rel="icon" type="image/x-icon" /> + <link href="/static/css/style.css" rel="stylesheet" type="text/css" /> + </head> + <body> + + <header class="clearfix"> + <img class="logo" src="/static/img/logo.png" title="OnionShare"> + <h1>OnionShare</h1> + </header> + + <div class="disable-noscript-xss-wrapper"> + <h3>Disable your Tor Browser's NoScript XSS setting</h3> + + <p>If your security slider is set to Safest, JavaScript is disabled so XSS vulnerabilities won't affect you, + which makes it safe to disable NoScript's XSS protections.</p> + + <p>Here is how to disable this setting:</p> + + <ol> + <li>Click the menu icon in the top-right of Tor Browser and open "Add-ons"</li> + <li>Next to the NoScript add-on, click the "Preferences" button</li> + <li>Switch to the "Advanced" tab</li> + <li>Uncheck "Sanitize cross-site suspicious requests"</li> + </ol> + + <p>If you'd like to learn technical details about this issue, check + <a rel="noreferrer" href="https://github.com/micahflee/onionshare/issues/899">this issue</a> + on GitHub.</p> + </div> + </body> +</html> |