Update the noscript upload instructions on the receive mode upload page, and add separate page for instructions to disable NoScript XSS setting

onionshare/web/web.py

@@ -132,6 +132,14 @@ class Web(object):
             self.force_shutdown()
             return ""
 
+        @self.app.route("/noscript-xss-instructions")
+        def noscript_xss_instructions():
+            """
+            Display instructions for disabling Tor Browser's NoScript XSS setting
+            """
+            r = make_response(render_template('receive_noscript_xss.html'))
+            return self.add_security_headers(r)
+
     def error404(self):
         self.add_request(Web.REQUEST_OTHER, request.path)
         if request.path != '/favicon.ico':

share/static/css/style.css

@@ -199,10 +199,15 @@ div#noscript {
   color: #e55454;
   padding: 1em;
   line-height: 150%;
-  max-width: 700px;
+  max-width: 900px;
   margin: 100px 2em 0 2em;
 }
 
 div#noscript a, div#noscript a:visited {
   color: #e27f7f;
 }
+
+.disable-noscript-xss-wrapper {
+  max-width: 900px;
+  margin: 0 auto;
+}

share/templates/receive.html

@@ -25,7 +25,7 @@
                {% if messages %}
                  <ul class=flashes>
                  {% for category, message in messages %}
-		 <li class="{{ category }}">{{ message }}</li>
+		               <li class="{{ category }}">{{ message }}</li>
                  {% endfor %}
                  </ul>
                {% endif %}
@@ -34,15 +34,18 @@
         </form>
 
         <!-- We are not using a <noscript> tag because it only works when the security slider
-             is set to Safest, not Safer. -->
+             is set to Safest, not Safer.
+
+             For more information about the upload issue:
+             https://github.com/micahflee/onionshare/issues/899
+        -->
         <div id="noscript">
           <p>
-            <strong>Warning:</strong> Due to a bug in Tor Browser and Firefox, if you
-            want to upload a file bigger than 50mb, you must set the Tor Browser
+            <strong>Warning:</strong> Due to a bug in Tor Browser and Firefox, uploads
+            sometimes never finish. To upload reliably, either set your Tor Browser
             <a rel="noreferrer" target="_blank" href="https://tb-manual.torproject.org/en-US/security-slider/">security slider</a>
-            to Standard. Otherwise your upload will never finish.</p>
-
-            <p>If you plan on only uploading small files, your current settings are fine.</p>
+            to Standard or
+            <a target="_blank" href="/noscript-xss-instructions">turn off your Tor Browser's NoScript XSS setting</a>.</p>
         </div>
       </div>
     </div>

share/templates/receive_noscript_xss.html

@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html>
+ <head>
+    <title>OnionShare</title>
+    <link href="/static/img/favicon.ico" rel="icon" type="image/x-icon" />
+    <link href="/static/css/style.css" rel="stylesheet" type="text/css" />
+  </head>
+  <body>
+
+    <header class="clearfix">
+        <img class="logo" src="/static/img/logo.png" title="OnionShare">
+        <h1>OnionShare</h1>
+    </header>
+
+    <div class="disable-noscript-xss-wrapper">
+      <h3>Disable your Tor Browser's NoScript XSS setting</h3>
+
+      <p>If your security slider is set to Safest, JavaScript is disabled so XSS vulnerabilities won't affect you,
+      which makes it safe to disable NoScript's XSS protections.</p>
+
+      <p>Here is how to disable this setting:</p>
+
+      <ol>
+        <li>Click the menu icon in the top-right of Tor Browser and open "Add-ons"</li>
+        <li>Next to the NoScript add-on, click the "Preferences" button</li>
+        <li>Switch to the "Advanced" tab</li>
+        <li>Uncheck "Sanitize cross-site suspicious requests"</li>
+      </ol>
+
+      <p>If you'd like to learn technical details about this issue, check
+        <a rel="noreferrer" href="https://github.com/micahflee/onionshare/issues/899">this issue</a>
+        on GitHub.</p>
+    </div>
+  </body>
+</html>