Purify I2Pconsole from JavaScripts (JS)

Proposals for I2P
Post Reply
anonymousmaybe
Posts: 35
Joined: 06 Oct 2018 17:06

Purify I2Pconsole from JavaScripts (JS)

Post by anonymousmaybe »

using "GNU libre JS" it will show any JS/non-free JS used in the browser.

so its better for the sake of security to overcome any design which contain JS.

JS details:

some scripts found in the console as 127.0.0.1:7657/js/ajax.js:-

Code: Select all

var fails = 0;

function ajax(url, target, refresh) {
  // native XMLHttpRequest object
  if (window.XMLHttpRequest) {
    req = new XMLHttpRequest();
    req.onreadystatechange = function() {ajaxDone(url, target, refresh);};
    req.open("GET", url, true);
    req.send(null);
    // IE/Windows ActiveX version
  } else if (window.ActiveXObject) {
    req = new ActiveXObject("Microsoft.XMLDOM");
    if (req) {
      req.onreadystatechange = function() {ajaxDone(target);};
      req.open("GET", url, true);
      req.send(null);
    }
  }
}

function ajaxDone(url, target, refresh) {
  // only if req is "loaded"
  if (req.readyState == 4) {
    // only if "OK"
    if (req.status == 200) {
      fails = 0;
      results = req.responseText;
      document.getElementById(target).innerHTML = results;
      //document.getElementsbyClassName("hideifdown").style.display="block";
    } else if (fails == 0) {
      // avoid spurious message if cancelled by user action
      fails++;
    } else {
      document.getElementById(target).innerHTML = failMessage;
      //document.getElementByClassName("hideifdown").style.display="none";
    }

    // conditionally display graph so ajax call doesn't interfere with refreshGraph.js
    var graph = document.getElementById("sb_graphcontainer");
      if (graph) {
      graph.style.backgroundImage = "url(/viewstat.jsp?stat=bw.combined&periodCount=20&width=220&height=50&hideLegend=true&hideGrid=true&time=" + new Date().getTime();
    }

    setTimeout(function() {ajax(url, target, refresh);}, refresh);
  }
}
- http://127.0.0.1:7657/js/iframed.js

Code: Select all

function injectClass(f) {
    f.className += ' iframed';
    var doc = 'contentDocument' in f? f.contentDocument : f.contentWindow.document;
    doc.body.className += ' iframed';
}
function resizeFrame(f) {
    // offsetHeight returns the height of the visible area for an object, in pixels.
    // The value contains the height with the padding, scrollBar, and the border,
    // but does not include the margin. Therefore, any content within the iframe
    // should have no margins at the very top or very bottom to avoid a scrollbar.
    var doc = 'contentDocument' in f? f.contentDocument : f.contentWindow.document;
    var totalHeight = doc.body.offsetHeight;

    // Detect if horizontal scrollbar is present, and add its width to height if so.
    // This prevents a vertical scrollbar appearing when the min-width is passed.
    // FIXME: How to detect horizontal scrollbar in iframe? Always apply for now.
    if (true) {
        // Create the measurement node
        var scrollDiv = document.createElement("div");
        scrollDiv.className = "scrollbar-measure";
        scrollDiv.style.width = "100px";
        scrollDiv.style.height = "100px";
        scrollDiv.style.overflow = "scroll";
        scrollDiv.style.position = "absolute";
        scrollDiv.style.top = "-9999px";
        document.body.appendChild(scrollDiv);

        // Get the scrollbar width
        var scrollbarWidth = scrollDiv.offsetWidth - scrollDiv.clientWidth;
        totalHeight += scrollbarWidth;

        // Delete the div
        document.body.removeChild(scrollDiv);
    }

    f.style.height = totalHeight + "px";
}

- http://127.0.0.1:7657/js/resetScroll.js

Code: Select all

// resets scroll position of element
// use with onblur to clear scroll position when element loses focus


// reset scroll to left position

function resetScrollLeft(element) {
    element.scrollLeft = 0;
}

// reset scroll to top position

function resetScrollTop(element) {
    element.scrollTop = 0;
}
User avatar
zzz
Posts: 183
Joined: 31 Mar 2018 13:15

Re: Purify I2Pconsole from JavaScripts (JS)

Post by zzz »

Our use of js is relatively minor and always has fallbacks for non-js. In the meeting today OP proposed an option to disable/remove the js. This is not required nor advisable; if anybody wants to disable js, they may do so in their browser.
User avatar
eyedeekay
Posts: 87
Joined: 21 Jul 2018 06:53

Re: Purify I2Pconsole from JavaScripts (JS)

Post by eyedeekay »

I promised to get back to you on this as well, sorry I didn't get around to it sooner. I agree with zzz, providing an option to disable the JS in the console is redundant considering all the better places it could be done.

OP also noted that a plugin(LibreJS) to control the scripts based on the plugin's ability to discern the license of the Javascript file in question. LibreJS comes pre-installed with the web browser IceCat, which is basically a periodically-updated set of scripts for de-branding Firefox ESR(And they do track ESR updates, but the update procedure could be a lot easier for people who just want a binary package). They also ship a Tor extension in their browser, which works with a system-installed Tor package to provide access to .onions and the web anonymously. It's not as cool as the one I wrote for us :), but it shows that IceCat developers are open to the idea of working with privacy networks in their product. Besides that, I've had a good look at the ins-and-outs of what they actually do to Firefox and of particular note, it's about a billion times easier to take IceCat's debrander and modify it than it is to take TBB and wedge I2P bits in. They are reasonably good product, they apparently have users although it's probably impossible to determine how many in a very good way, and they're likely to be willing to work with us. In light of that, I'm going to make our javascript work with their extension by adding the appropriate tags except where the javascript meets the LibreJS definition of trivial. I believe that the following is the case re: licenses to javascript code

Public Domain
-------------

./apps/routerconsole/jsp/js/refreshGraph.js
./apps/routerconsole/jsp/js/welcomeajax.js
./apps/routerconsole/jsp/js/resetScroll.js
./apps/routerconsole/jsp/js/iframed.js
./apps/routerconsole/jsp/js/stats.js
./apps/routerconsole/jsp/js/ajax.js
./apps/routerconsole/jsp/js/configclients.js
./apps/routerconsole/jsp/js/configstats.js

MIT
---
./apps/susidns/src/js/messages.js


GPL+Exception
-------------

./apps/i2psnark/resources/js/initajax.js
./apps/i2psnark/resources/js/delete.js
./apps/i2psnark/resources/js/folder.js
./apps/i2psnark/java/build/resources/.resources/js/initajax.js
./apps/i2psnark/java/build/resources/.resources/js/delete.js
./apps/i2psnark/java/build/resources/.resources/js/folder.js
./apps/susimail/src/js/notifications.js
./apps/susimail/src/js/folder.js
./apps/susimail/src/js/compose.js
./apps/i2ptunnel/jsp/js/tableSlider.js
./apps/i2ptunnel/jsp/js/delete.js
Post Reply