Strip NoScript XSS warning, because the Tor Browser bug it addressed has been fixed

2024-12-28 00:39:37 -05:00 · 2019-05-29 19:27:21 -07:00 · 2019-05-29 19:27:21 -07:00 · c3ba542ecb
commit c3ba542ecb
parent 12392378d1
5 changed files with 0 additions and 60 deletions
--- a/onionshare/web/web.py
+++ b/onionshare/web/web.py
@ -164,15 +164,6 @@ class Web(object):
                return ""
            abort(404)

-        @self.app.route("/noscript-xss-instructions")
-        def noscript_xss_instructions():
-            """
-            Display instructions for disabling Tor Browser's NoScript XSS setting
-            """
-            r = make_response(render_template('receive_noscript_xss.html',
-                static_url_path=self.static_url_path))
-            return self.add_security_headers(r)
-
    def error401(self):
        auth = request.authorization
        if auth:
--- a/share/static/img/warning.png
+++ b/share/static/img/warning.png
--- a/share/static/js/receive-noscript.js
+++ b/share/static/js/receive-noscript.js
@ -1,2 +0,0 @@
-// Hide the noscript div, because our javascript is executing
-document.getElementById('noscript').style.display = 'none';
--- a/share/templates/receive.html
+++ b/share/templates/receive.html
@ -13,19 +13,6 @@
    </header>

    <div class="upload-wrapper">
-      <!--
-      We are not using a <noscript> tag because it only works when the security slider is set to
-      Safest, not Safer: https://trac.torproject.org/projects/tor/ticket/29506
-      -->
-      <div id="noscript">
-        <p>
-          <img src="{{ static_url_path }}/img/warning.png" title="Warning" /><strong>Warning:</strong> Due to a bug in Tor Browser and Firefox, uploads
-          sometimes never finish. To upload reliably, either set your Tor Browser
-          <a rel="noreferrer" target="_blank" href="https://tb-manual.torproject.org/en-US/security-slider/">security slider</a>
-          to Standard or
-          <a target="_blank" href="/noscript-xss-instructions">turn off your Tor Browser's NoScript XSS setting</a>.</p>
-      </div>
-
      <p><img class="logo" src="{{ static_url_path }}/img/logo_large.png" title="OnionShare"></p>

      <p class="upload-header">Send Files</p>
@ -51,7 +38,6 @@
      </form>

    </div>
-    <script src="{{ static_url_path }}/js/receive-noscript.js"></script>
    <script src="{{ static_url_path }}/js/jquery-3.4.0.min.js"></script>
    <script async src="{{ static_url_path }}/js/receive.js"></script>
  </body>
--- a/share/templates/receive_noscript_xss.html
+++ b/share/templates/receive_noscript_xss.html
@ -1,35 +0,0 @@
-<!DOCTYPE html>
-<html>
- <head>
-    <title>OnionShare</title>
-    <link href="{{ static_url_path }}/img/favicon.ico" rel="icon" type="image/x-icon">
-    <link rel="stylesheet" rel="subresource" type="text/css" href="{{ static_url_path }}/css/style.css" media="all">
-  </head>
-  <body>
-
-    <header class="clearfix">
-        <img class="logo" src="{{ static_url_path }}/img/logo.png" title="OnionShare">
-        <h1>OnionShare</h1>
-    </header>
-
-    <div class="disable-noscript-xss-wrapper">
-      <h3>Disable your Tor Browser's NoScript XSS setting</h3>
-
-      <p>If your security slider is set to Safest, JavaScript is disabled so XSS vulnerabilities won't affect you,
-      which makes it safe to disable NoScript's XSS protections.</p>
-
-      <p>Here is how to disable this setting:</p>
-
-      <ol>
-        <li>Click the menu icon in the top-right of Tor Browser and open "Add-ons"</li>
-        <li>Next to the NoScript add-on, click the "Preferences" button</li>
-        <li>Switch to the "Advanced" tab</li>
-        <li>Uncheck "Sanitize cross-site suspicious requests"</li>
-      </ol>
-
-      <p>If you'd like to learn technical details about this issue, check
-        <a rel="noreferrer" href="https://github.com/micahflee/onionshare/issues/899">this issue</a>
-        on GitHub.</p>
-    </div>
-  </body>
-</html>