Hello, I noticed a problem with the way LibreJS displays some script links. LibreJS does not include the query string (the part after the '?') when presenting links, which means the script you click on in LibreJS could be different from the script that actually would be executed. For example, on this page for sample ballots [1], you will see a script at [2] listed in LibreJS, but when you click on that link, you will get a 404 error page. If you view the HTML source of the page [3] and ctrl+F for "WebResource", you will see that there is a corresponding script tag that should include "?d=MNJoMkNhH6PXyoAVyephgc5zG0Kl3XENDyBeYod5KBRwslKU_pr2SCPr4zAZ53jiLf6hyOkI2Z1aLd0nedPpQ5sN6ILFmouLh4mOzmCwTIU1&t=637814437746327080" after the part of the URL that LibreJS shows.
I looked for previous discussion about this, but I could not find any. It seems that LibreJS should show the query string also, but I suppose there could be a link that updates with every refresh, despite pointing to the same script text, so I'm not sure what the best way to handle this is. When the URL without the query string is a 404 or an empty script, this problem is mostly a matter of convenience, but I imagine there could be a problem where, if LibreJS is ignoring query strings completely (and I'm not sure that it is), then a page could serve a free non-malicious script when there is no query string, but serve a nonfree or malicious script when there is a particular query string. There are surely other ways for webpages to trick people into running malware [4], so maybe this is not such a big deal. Ideally, I think LibreJS should store checksums of scripts, but it seems like it only does this for inline scripts currently? [1] https://www.collincountytx.gov/elections/election_information/Pages/sampleballots.aspx [2] https://www.collincountytx.gov/WebResource.axd [3] (e.g. using view-source:https://www.collincountytx.gov/elections/election_information/Pages/sampleballots.aspx in Abrowser/Firefox ) [4] (e.g. simply sending a malicious script in 1/100 cases; most people would see the non-malicious script first, but most people who used the site often would run the non-malicious script eventually)
OpenPGP_0x8EF548378E806320.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
