AsmBB

Power
Login Register

Disabling all JavaScript & making the User List private

#16119 (ツ) MrMister
Created 12.05.2020, read: 585 times

I tried removing anything in the templates with script or .js in it, and that took care of a lot, but, I still get a "1" in NoScript and eMatrix (eMatrix is the uMatrix equivalent for UXP-derived browsers).

eMatrix gives a little bit info:

http://[...].b32.i2p/{inline_script}

script-src 'unsafe-eval' blob: *

However, I'm not really sure what to do with this information, as I see nothing (using grep -r) anything having to do with JavaScript. Any pointers on that would be very helpful to me!

Secondly, the user list displays when someone was last on, when they joined, and their user agent, as well as IP. Admittedly less of an issue on darknets such as I2P, but it isn't great for privacy.

So, how would I go about making the user list at least "admin only" or "not public"?

Thanks in advance!

#16120 (ツ) johnfound
Created 12.05.2020, read: 580 times
MrMister

I tried removing anything in the templates with script or .js in it, and that took care of a lot, but, I still get a "1" in NoScript and eMatrix (eMatrix is the uMatrix equivalent for UXP-derived browsers).

eMatrix gives a little bit info:

http://[...].b32.i2p/{inline_script}

script-src 'unsafe-eval' blob: *

However, I'm not really sure what to do with this information, as I see nothing (using grep -r) anything having to do with JavaScript. Any pointers on that would be very helpful to me!

Secondly, the user list displays when someone was last on, when they joined, and their user agent, as well as IP. Admittedly less of an issue on darknets such as I2P, but it isn't great for privacy.

So, how would I go about making the user list at least "admin only" or "not public"?

Thanks in advance!

Well, depending on the particular skin there are some small JS snippets in the .tpl files. You can grep them by the <script> tag.

I am not sure why you want to remove the JS from the forum. All AsmBB skins work fine with JS disabled, so the users that prefer not to execute JS, can simply disable it by NoScript or other similar tool. In the same time, the users that trust AsmBB and the forum maintainer will get some additional features like the real-time chat and post editor extras...

The user IP is displayed (of course!) only to the users with administrator permissions. As long as the administrator of the forum always have access to the server logs and the database, displaying the IP addresses to him does not means the user privacy is affected.

For the regular users, the user activity list displays only the user/anon nick, the time and the activity. IMHO, such list is useful for the community interaction process, while is totally harmless for the user privacy.

Total removing of this feature is possible by editing the engine source files. Removing only the link from the templates is useless - anyone can enter the URL manually.

#16121 (ツ) MrMister
Created 12.05.2020, read: 574 times
johnfound
MrMister

I tried removing anything in the templates with script or .js in it, and that took care of a lot, but, I still get a "1" in NoScript and eMatrix (eMatrix is the uMatrix equivalent for UXP-derived browsers).

eMatrix gives a little bit info:

http://[...].b32.i2p/{inline_script}

script-src 'unsafe-eval' blob: *

However, I'm not really sure what to do with this information, as I see nothing (using grep -r) anything having to do with JavaScript. Any pointers on that would be very helpful to me!

Secondly, the user list displays when someone was last on, when they joined, and their user agent, as well as IP. Admittedly less of an issue on darknets such as I2P, but it isn't great for privacy.

So, how would I go about making the user list at least "admin only" or "not public"?

Thanks in advance!

Well, depending on the particular skin there are some small JS snippets in the .tpl files. You can grep them by the <script> tag.

I am not sure why you want to remove the JS from the forum. All AsmBB skins work fine with JS disabled, so the users that prefer not to execute JS, can simply disable it by NoScript or other similar tool. In the same time, the users that trust AsmBB and the forum maintainer will get some additional features like the real-time chat and post editor extras...

The user IP is displayed (of course!) only to the users with administrator permissions. As long as the administrator of the forum always have access to the server logs and the database, displaying the IP addresses to him does not means the user privacy is affected.

For the regular users, the user activity list displays only the user/anon nick, the time and the activity. IMHO, such list is useful for the community interaction process, while is totally harmless for the user privacy.

Total removing of this feature is possible by editing the engine source files. Removing only the link from the templates is useless - anyone can enter the URL manually.

Thanks for the info.

Greping for <script> is what I did, and I removed all that I found, however I still get notice by way of NoScript/eMatrix that JavaScript still persists. I can't find any <script> in the page source (browser side) either. So it must be hiding somewhere else, but I can't figure out where.

As for editing the source, I will give that a go, though I am not experienced with ASM.

I do not like JavaScript for several reasons, but bloat, and appearing suspicious are two of them. This is not to say I think ASMBB's scripts are suspicious, but it can appear that way to others. Since, other websites have abused script so heavily (see: https://www.gnu.org/philosophy/javascript-trap.html for an example). Since ASMBB works fine without it (thankfully) there is no need to have it. More sites and software should follow suit in not having mandatory JavaScript IMO, so kudos for that!

#16122 (ツ) johnfound
Last edited: 12.05.2020 by johnfound, read: 573 times
MrMister

Greping for <script> is what I did, and I removed all that I found, however I still get notice by way of NoScript/eMatrix that JavaScript still persists.

Hm, I am not very skilled in JS and generally in front-end programming. Is it possible the contained in the HTML event attributes such as onclick="something" to be detected as JS by NoScript?

#16123 (ツ) johnfound
Last edited: 12.05.2020 by johnfound, read: 570 times
#16124 (ツ) MrMister
Created 12.05.2020, read: 564 times
johnfound
MrMister

Greping for <script> is what I did, and I removed all that I found, however I still get notice by way of NoScript/eMatrix that JavaScript still persists.

Hm, I am not very skilled in JS and generally in front-end programming. Is it possible the contained in the HTML event attributes such as onclick="something" to be detected as JS by NoScript?

Just removed everything with onclick= in it, still getting JS.

#16125 (ツ) johnfound
Created 12.05.2020, read: 562 times
MrMister
johnfound
MrMister

Greping for <script> is what I did, and I removed all that I found, however I still get notice by way of NoScript/eMatrix that JavaScript still persists.

Hm, I am not very skilled in JS and generally in front-end programming. Is it possible the contained in the HTML event attributes such as onclick="something" to be detected as JS by NoScript?

Just removed everything with onclick= in it, still getting JS.

There are many other events besides onclick. My search found the following:

oninput, onkeydown, onkeypress, onchange, onfocus

But notice, that others are possible. You should grep them with some more complex RE, like: space, followed by "on" then some latin characters, then "=".

#16126 (ツ) MrMister
Created 13.05.2020, read: 547 times
johnfound
MrMister
johnfound
MrMister

Greping for <script> is what I did, and I removed all that I found, however I still get notice by way of NoScript/eMatrix that JavaScript still persists.

Hm, I am not very skilled in JS and generally in front-end programming. Is it possible the contained in the HTML event attributes such as onclick="something" to be detected as JS by NoScript?

Just removed everything with onclick= in it, still getting JS.

There are many other events besides onclick. My search found the following:

oninput, onkeydown, onkeypress, onchange, onfocus

But notice, that others are possible. You should grep them with some more complex RE, like: space, followed by "on" then some latin characters, then "=".

I have further removed all of that which I found (including the ones you mentioned), and yet still, sadly, the JavaScript persists.

The grep command I used: grep " on\S=" -r

#16127 (ツ) johnfound
Created 13.05.2020, read: 542 times
MrMister

I have further removed all of that which I found (including the ones you mentioned), and yet still, sadly, the JavaScript persists.

The grep command I used: grep " on\S=" -r

Well, it is very strange. What skin you are trying to edit? I will take a look how to remove all the JS from it.

#16128 (ツ) MrMister
Created 14.05.2020, read: 521 times
johnfound
MrMister

I have further removed all of that which I found (including the ones you mentioned), and yet still, sadly, the JavaScript persists.

The grep command I used: grep " on\S=" -r

Well, it is very strange. What skin you are trying to edit? I will take a look how to remove all the JS from it.

I was trying with the Wasp skin. If I got that to work I was also going to try with the "mobile" skin.

#16129 (ツ) johnfound
Created 14.05.2020, read: 515 times
MrMister

I was trying with the Wasp skin. If I got that to work I was also going to try with the "mobile" skin.

OK, here it is. The attached file contains a skin named NoJS, based on WASM, that is not using JS at all. NoScript displays "Blocked 0 of 0 items".

This is the source code. You should compile it through "compile_styles.sh" script or any other LESS compiler in order to get the .css files. Or simply get only the .tpl files - there is no changes in the styles actually.

Most of the files in the "mobile" skin are actually symlinks to the respective files of the "Wasp" skin, so the changes should be only a few, if any.

Attached files:
FileSizeUploadedDownloadsMD5 hash
NoJS.tar.gz217628 bytes14.05.2020351a5e40e4cab5b719949366a58da2e10b
#16139 (ツ) MrMister
Created 15.05.2020, read: 485 times
johnfound

Also, in order to disable the users activity list totally, try to delete this line from the file commands.asm and them recompile:

https://asm32.info/fossil/repo/asmbb/artifact?udc=1&ln=86&name=48fe23effa4e2bee

Of course you should remove the link to the page /!users_online from the templates as well, or else will have "404 Not Found" on clicking it.

This has worked!

I used the instructions on this post to get it working: https://board.asm32.info/instructions-for-assembling-asmbb-without-using-freshide.231/#15572

The main repo for freshlib was down though, so somehow I found this repo which worked: http://chiselapp.com/user/johnfound/repository/FreshIDE/

johnfound
MrMister

I was trying with the Wasp skin. If I got that to work I was also going to try with the "mobile" skin.

OK, here it is. The attached file contains a skin named NoJS, based on WASM, that is not using JS at all. NoScript displays "Blocked 0 of 0 items".

This is the source code. You should compile it through "compile_styles.sh" script or any other LESS compiler in order to get the .css files. Or simply get only the .tpl files - there is no changes in the styles actually.

Most of the files in the "mobile" skin are actually symlinks to the respective files of the "Wasp" skin, so the changes should be only a few, if any.

As it turns out, the theme alterations I had done using that grep command had actually resulted in NoScript giving a "0", but your version did other things better (I was confused by eMatrix's "1").

After I recompiled and reloaded, all the script, even with eMatrix appears to be gone! Absolutely fantastic.

Thank you very much for you help, johnfound!

And thumbs up on making a cool piece of software!

#16144 (ツ) johnfound
Created 15.05.2020, read: 479 times
MrMister

The main repo for freshlib was down though, so somehow I found this repo which worked: http://chiselapp.com/user/johnfound/repository/FreshIDE/

You have found the mirror. It should be fine. Thanks for the report about the main repository. It should not be down and I will need to check it.

Disabling all JavaScript & making the User List private

AsmBB v2.9 (check-in: 6d407831308ba556); SQLite v3.31.1 (check-in: 3bfa9cc97da10598);
©2016..2020 John Found; Licensed under EUPL. Powered by Assembly language Created with Fresh IDE