GlobaLeaks icon indicating copy to clipboard operation
GlobaLeaks copied to clipboard

Published 20 hours ago verified publisher icon globaleaks

if the browser plugin ScriptSafe plugin is used, the javascript disabled message is not shown

Open fpietrosanti opened this issue 9 years ago • 12 comments

If Javascript is disabled, the end-user is not shown proper error messages.

In past we made a proper error message to appear, informing the user about the need to enable javascript.

Now sounds like is not working anymore, the user is not informed that he must enable javascript.

fpietrosanti avatar Aug 27 '14 14:08 fpietrosanti

this is not correct

the code is in place and correctly working when javascript is disabled by:

  • browser configuration (i.e.g javascript.enabled = false on firefox on about:config)

  • using noscript on firefox

    the ticket need to be related only to the plugin scriptsafe on chrome.

evilaliv3 avatar Aug 27 '14 14:08 evilaliv3

@fpietrosanti: @hellais has verified that this is not a bug of GlobaLeaks while a strange behaviour implemented by script safe and the same behaviour happens wor website like google and antani so i consider this ticket to be closed.

evilaliv3 avatar Aug 28 '14 10:08 evilaliv3

what to do with this ticket?

fpietrosanti avatar Sep 21 '14 11:09 fpietrosanti

i do not think there is any way to fix this as i do not find any way to detect script safe. in addition if the user is running script safe he already know of such a situation so if he notice a blank page he know that the way to right javascript execution by configuring the plugin for the current url.

evilaliv3 avatar Sep 21 '14 15:09 evilaliv3

While thinking a bit about this I came up with a solution that is similar to what modernizr does to detect javascript support. The issue with scriptsafe is that it ignores the <noscript> tags hence leading it to no visualise the content therein contained and instead showing a white page.

A possible workaround to this could be to add some divs that have the class attribute set to no-javascript-support, then we add a javascript snippet that when run will change the no-javascript-support to javascript-support. These two elements are styled using only css and the javascript-support class is set to display: none, while the no-javascript-support is set to display: block.

I have not actually tested this in ScriptSafe, but just dumping this here since it came up while I was looking at past ticket.

hellais avatar Sep 24 '14 09:09 hellais

correct. this is not so standard but duable. i think probably in order to have something working on most browser it's better to include directly modernizr and exploit its capabilities.

evilaliv3 avatar Sep 24 '14 10:09 evilaliv3

what we can do about that ?

vecna avatar Feb 28 '15 00:02 vecna

I think my above suggestion is still a viable option that is quite simple to implement and does not require external dependencies.

hellais avatar Mar 17 '15 10:03 hellais

you are right @hellais.

while implementing this we should keep in mind problems like: https://github.com/globaleaks/GlobaLeaks/issues/1189

evilaliv3 avatar Mar 17 '15 10:03 evilaliv3

@evilaliv3 I don't think we should be investing time in supporting a browser that will soon be deprecated (OrWeb will be replaced by OrFox).

hellais avatar Mar 17 '15 10:03 hellais

i see and i agree. what we can do is in general to keep in mind this and find general solutions and design well written messagise and explainations of what is happening and how to point the user to solve his problem.

evilaliv3 avatar Mar 17 '15 10:03 evilaliv3

@evilaliv3 Orbot is widely diffused and it's unlikely to go away in few months (maybe in 2 years?), btw sounds like a similar problem to provide better instructions for individual widely used browsers on how to enable JS, when the default is "disabled"

fpietrosanti avatar Mar 17 '15 10:03 fpietrosanti