From e4b0f04504870ec54bc6b4b3b99effa231b0d9ff Mon Sep 17 00:00:00 2001 From: Micah Lee Date: Wed, 29 May 2019 19:27:21 -0700 Subject: [PATCH 1/2] Strip NoScript XSS warning, because the Tor Browser bug it addressed has been fixed --- onionshare/web/web.py | 9 ------ share/static/img/warning.png | Bin 804 -> 0 bytes share/static/js/receive-noscript.js | 2 -- share/templates/receive.html | 14 --------- share/templates/receive_noscript_xss.html | 35 ---------------------- 5 files changed, 60 deletions(-) delete mode 100644 share/static/img/warning.png delete mode 100644 share/static/js/receive-noscript.js delete mode 100644 share/templates/receive_noscript_xss.html diff --git a/onionshare/web/web.py b/onionshare/web/web.py index 1e040b54..1d2a3fec 100644 --- a/onionshare/web/web.py +++ b/onionshare/web/web.py @@ -164,15 +164,6 @@ class Web(object): return "" abort(404) - @self.app.route("/noscript-xss-instructions") - def noscript_xss_instructions(): - """ - Display instructions for disabling Tor Browser's NoScript XSS setting - """ - r = make_response(render_template('receive_noscript_xss.html', - static_url_path=self.static_url_path)) - return self.add_security_headers(r) - def error401(self): auth = request.authorization if auth: diff --git a/share/static/img/warning.png b/share/static/img/warning.png deleted file mode 100644 index 9be8cbaf1a8f5fbbb20c742d51302b22c3eca975..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 804 zcmV+<1Ka$GP)ZAngDE0*OgPK~zYIt(8wm6mb;C zKW}!{c2>j`(zH$2#aI=hLb@b`R5vey6hRPCco0t!Q6SXWAiPG_RfFmfQA7kDqAn$b z2iL8|T|?{-WG?9LtnSY1urAcH|J41$!0_IDzn}Mp-!L*;zt~`IX0D6M5YR;R^h-r2 z(r(wi!>et7@|$MOre0H((JBISY7&*vnoV_p+xbmHRj*bYrMw0n19630!0)n_BKZc; zTE_bVWKdw$sWC4)24g7W-3k8~!b}C@7R)!wxm+2!*_CX64m#Nr_pKPpSyR%FB6X2{ zD1Cra0erh)eSav`9twM-1E}!~!G$BOor%t+bjE#2#OYUIu=-$?2>?gsRM2jp4tt{m zV(80kk6>^;@JXO~Ct$NgFTQT?c@ptPd|)o4s9G}c!;XzOmYxLOZ4EHA6L8Uu6()PN zC9$b4m%7b|U%X2P#E_r;+MgCN&ehrOr*pN7$AI4If+hQ!yOSM@J#pWP>DgG@aLagD z!gb)JeCkVz>W;PrkdPJC0`=Lhg#Sok2QtHV3!v6YEd%xCAYBQ+__;W*SZzTaCZ|uT`ZG2>;mmX^~^4z04GuwQwWAkGi^3o{y~9ZVE-
- -
-

- Warning: Due to a bug in Tor Browser and Firefox, uploads - sometimes never finish. To upload reliably, either set your Tor Browser - security slider - to Standard or - turn off your Tor Browser's NoScript XSS setting.

-
-

Send Files

@@ -51,7 +38,6 @@
- diff --git a/share/templates/receive_noscript_xss.html b/share/templates/receive_noscript_xss.html deleted file mode 100644 index 84d35ba1..00000000 --- a/share/templates/receive_noscript_xss.html +++ /dev/null @@ -1,35 +0,0 @@ - - - - OnionShare - - - - - -
- -

OnionShare

-
- -
-

Disable your Tor Browser's NoScript XSS setting

- -

If your security slider is set to Safest, JavaScript is disabled so XSS vulnerabilities won't affect you, - which makes it safe to disable NoScript's XSS protections.

- -

Here is how to disable this setting:

- -
    -
  1. Click the menu icon in the top-right of Tor Browser and open "Add-ons"
    2. -
  2. Next to the NoScript add-on, click the "Preferences" button
    3. -
  3. Switch to the "Advanced" tab
    4. -
  4. Uncheck "Sanitize cross-site suspicious requests"
    5. -
- -

If you'd like to learn technical details about this issue, check - this issue - on GitHub.

-
- - From f979bbe97c21b09727aa50a8a3dd9fc325103afc Mon Sep 17 00:00:00 2001 From: Micah Lee Date: Thu, 30 May 2019 17:55:58 -0700 Subject: [PATCH 2/2] Remove old noscript css styles --- share/static/css/style.css | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/share/static/css/style.css b/share/static/css/style.css index e445e5de..f2ded524 100644 --- a/share/static/css/style.css +++ b/share/static/css/style.css @@ -222,20 +222,3 @@ li.info { color: #666666; margin: 0 0 20px 0; } - -div#noscript { - text-align: center; - color: #d709df; - padding: 1em; - line-height: 150%; - margin: 0 auto; -} - -div#noscript a, div#noscript a:visited { - color: #d709df; -} - -.disable-noscript-xss-wrapper { - max-width: 900px; - margin: 0 auto; -}