Opened 3 months ago

Closed 3 months ago

#2537 closed defect (wontfix)

Clashes between Noscript and I2Pconsole

Reported by: anonymous maybe Owned by: sadie
Priority: major Milestone: undecided
Component: apps/console Version: 0.9.40
Keywords: Cc: idk, Meeh
Parent Tickets: Sensitive: no

Description (last modified by anonymous maybe)

As we all know that Java Script is the poison honey of the web , it has nice looking but its running on the user space which lead to many security flaws and deanonymization.

Best practice is to keep Noscript always on to block any unwanted JS while the user surfing the web. Issue here that there is JS located in I2Pconsole itself meaning Noscript/I2P Browser best security practice clashes with I2Pconsole.

Solutions:

Bad: Add I2Pconsole as Trusted to Noscript so it wont block JS in it. but dont forget we are allwoing JS in the end and which remove the whole idea of Noscript in the browser.

Best: Clean JS from I2Pconsole and keep it safe by default.

I have already done a proposal for that:

https://i2pforum.net/viewtopic.php?f=13&t=537

Subtickets

Change History (8)

comment:1 Changed 3 months ago by anonymous maybe

Description: modified (diff)

comment:2 Changed 3 months ago by anonymous maybe

Description: modified (diff)

comment:3 Changed 3 months ago by Meeh

I also noticed that we have to enable some kind of "noscript" frontend - cause only way to allow JS now is by going to add-ons and manually disable noscript. That wasn't so nice. I'm gonna find a fix for that.

comment:4 in reply to:  3 Changed 3 months ago by anonymous maybe

Replying to meeh:

I also noticed that we have to enable some kind of "noscript" frontend - cause only way to allow JS now is by going to add-ons and manually disable noscript. That wasn't so nice. I'm gonna find a fix for that.

You cant do that at the moment, this is security measures within TBB (only per session). you can put the No Scritp to trust this JS or to temp.trust that BUT it will be gone after restarting the browser.

Look at TBB ticket:

https://trac.torproject.org/projects/tor/ticket/27175

is set to Fix , but look at the last line. and im using TBB and yeah the issue still there.

in the end like i said, the issue not with NS plugin but its with the console.

Reminder Vulnerability:

https://blog.exodusintel.com/2014/08/25/tails-from-the-cri2p/

Last edited 3 months ago by anonymous maybe (previous) (diff)

comment:5 Changed 3 months ago by Meeh

Ah ok, thanks. I'm gonna read me up on the links. We will figure this out and find a way, it's just javascript after all :p been coding it via dayjob for years.

comment:6 Changed 3 months ago by Meeh

Another benefit with ruling our own browser is that we're totally free to not copy them on everything. :)

comment:7 in reply to:  5 Changed 3 months ago by anonymous maybe

Replying to Meeh:

it's just javascript after all :p been coding it via dayjob for years.

No, please stop coding it in I2P :P

comment:8 Changed 3 months ago by zzz

Resolution: wontfix
Sensitive: unset
Status: newclosed

The limited JS in the console provides a nice refresh for the summary bar and i2psnark, and other minor things. JS is optional and it works fine without it, but the iframe refresh is much uglier. We also have a CSP specified in the headers. This is a user choice, block JS or not. JS is not a defect. For concerns with i2p browser please file a different ticket against that component.

Note: See TracTickets for help on using tickets.