From ba3efefc7bd2879ee7b9a233981eb4d0fb81c903 Mon Sep 17 00:00:00 2001 From: rugk Date: Wed, 13 Feb 2019 11:59:07 +0100 Subject: [PATCH] Add warning for insecure HTTP --- js/privatebin.js | 65 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/js/privatebin.js b/js/privatebin.js index cf747335..52ea8f63 100644 --- a/js/privatebin.js +++ b/js/privatebin.js @@ -4436,6 +4436,7 @@ jQuery.PrivateBin = (function($, sjcl, Base64, RawDeflate) { TopNav.init(); UiHelper.init(); Uploader.init(); + InitialCheck.init(); // check whether existing paste needs to be shown try { @@ -4465,6 +4466,70 @@ jQuery.PrivateBin = (function($, sjcl, Base64, RawDeflate) { return me; })(window, document); + + /** + * initial (security) check + * + * @name InitialCheck + * @param {object} window + * @param {object} document + * @class + */ + var InitialCheck = (function (window, document) { + var me = {}; + + /** + * check if the connection is insecure + * + * @private + * @name InitialCheck.isInsecureConnection + * @function + */ + function isInsecureConnection() + { + const url = new URL(document.URL); + + // HTTP is obviously insecure + if (url.protocol !== 'http:') { + return false; + } + + // filter out actually secure connections over HTTP + if ( + url.hostname.endsWith('.onion') || + url.hostname.endsWith('.i2p') + ) { + return false; + } + + // whitelist localhost for development + if ( + url.hostname === 'localhost' || + url.hostname === '127.0.0.1' + ) { + return false; + } + + // totally INSECURE http protocol! + return true; + } + + /** + * init on application start + * + * @name InitialCheck.init + * @function + */ + me.init = function() + { + if (isInsecureConnection()) { + Alert.showError('This instance is using an insecure connection! Please only use this for testing.'); + } + } + + return me; + })(window, document); + return { Helper: Helper, I18n: I18n,