Advise users to disable Javascript #101
Comments
|
If Javascript is enabled in the TBB, we can pop up a friendly box directly underneath the NoScript icon in the toolbar, which is in a consistent place in the stock TBB, with instructions for using NoScript to disable scripts globally. For non-TBB, we can pop up a more generic dialog with instructions for disabling Javascript in various browsers. To detect if we're running in Tor Browser, we can use the technique currently used by flash proxy: |
|
To handle false positives (which are unlikely), we can include a small "Not using Tor Browser?" link at the bottom which pops up the generic instructions. False negatives are unlikely, but will be handled by the generic instructions popup. |
|
In the case where a user does not wish to disable Javascript, we can include a "Disable this warning in the future" option. This should be accompanied by a stern warning, but if they go through with it we can set a flag in localStorage that will prevent the dialog from appearing in the future. I am not sure if it is better to provide this option (if included, it should not be an obvious "click through and get this out of my face" type of interaction), or to not provide it and consistently nag people to disable Javascript. |
|
I agree that the site should run without JavaScript. There are too many ways to identify users using tricks like in EverCookie - http://samy.pl/evercookie/ The source should only be identifiable on or off of the site by giving the code name. |
|
Thumbs up for removing JS. |
|
Working on this |
Per #100, the source and journalist sites do not use any Javascript. To help reduce attack surface, we should advise users (especially sources) to disable Javascript entirely in their browser. This should be in the documentation and/or somewhere on the landing page (I'm imaging a little pop-up pointing to the NoScript icon in the toolbar, that can be easily dismissed - ironically, this might best be handled with Javascript).
If they are using TBB, this is very easy (two clicks!) because NoScript is preinstalled (but not activated by default). The user can click the NoScript icon in the toolbar, next to the URL bar, and choose "Forbid Scripts Globally (advised)".
The text was updated successfully, but these errors were encountered: