[Tails-dev] Review of https://tails.boum.org/contribute/index.en.html
Hi, intrigeri suggested I could review the "how to contribute to Tails infrastructure" page, and due to a misunderstanding I assumed he was referring to https://tails.boum.org/contribute/index.en.html and thus reviewed this page. So, for this page review to not go to waste, I'll send this it here so anyone interested in improving this page now or later may take it into account. Thanks, Alster My feedback: A. First part of the page (until, but not including, the table of contents) * Provides a good overview about how people can contribute to Tails (though I cannot claim to know all the available options and thus cannot be sure it is complete). Thanks to the icons used and the small blocks of short text it is visually appealing. * The "User" section could be renamed to "Contribute your Tails experience" and the "Donate" section could be renamed to "Contribute financially" to be in line with the other sections, though I admit this makes them somewhat cheesy. * I suggest to replace the "designer" icon (which is currently identical with the "writer" icon) by one which is more closely related to visual arts, such as a palette or drawing board - if there is someone available to provide additional icons in the same style. * All the web links in this section work and point to pages which provide the information the links to them discuss. Several links point to the same page, and actually only discuss part of this page. Maybe anchored links could be used to directly point people to the matching content / section on these pages. But then anchors can change, so maybe that's why they are not being used here. * I'm not sure whether the headings "Contribute with your language skills" and "Contribute with your computer skills" should remain as they are or whether the word "with" should be dropped. A native English speaker will need to comment on this. B. Second part of the page (starting at the table of contents) * I _guess_ that this is actually the former version of this page, since it starts with a table of contents in the middle of a web page. * The information provided in this part of the page seems relevant to me, but I also think it clutters this page and should go to a separate page instead, which is then referred to by the pages the first part of this page points to, where it makes sense. For example, many (but not all) of the topics discussed here are primarily relevant to those who work on software (a designer may not need or want to know about how to build Debian packages - it may actually drive them away) - so these could be linked on https://tails.boum.org/contribute/how/code/ * The note saying that "there _are_ currently no way to contribute to Tails if you do not understand English" should instead say: "there _is_ currently no way to contribute to Tails if you do not understand English" However, this statement can at least partially seem to contradict the first part of this page which also discusses ways to contribute to Tails, and will likely be translated (?), and I assume you do not intend to receive donations only from those who understand the English language. On the other hand I see how even for most organizational matters basic understanding of the English language will actually be a requirement. * All the web links in this section work and point to pages which provide the information the links to them discuss. Thanks, Alster signature.asc Description: OpenPGP digital signature ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
[Tails-dev] HSTS on https://mailman.boum.org/
Hi, I recently noticed that https://mailman.boum.org/ does not currently send a HTTP Strict Transport Security header (while other sites do) - maybe using it is an option there, too? Thanks for considering, Alster signature.asc Description: OpenPGP digital signature ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
[Tails-dev] More tails.boum.org HTTP response headers?
Hi again, I propose to add the following HTTP headers to all Tails web pages (it's sufficient to send these for HTTP responses for "Content-Type: text/html" only, though applying it globally doesn't hurt): X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self' tails.boum.org *.tails.boum.org; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src *; media-src *; object-src 'self'; frame-src 'self'; frame-ancestors 'self'; child-src 'self'; reflected-xss block; (Newlines were added to improve readability only.) Reasoning and links to documentation: X-Frame-Options: Prevents content hosted on tails.boum.org to be embedded in an (I)FRAME on other web sites (such as as part of a click-jacking or phishing attack. Interpreted by Firefox, Chrome, Internet Explorer, Opera, Safari. http://tools.ietf.org/html/rfc7034 X-XSS-Protection: Instructs Internet Explorer 8+ to use its internal XSS filter (which is mostly broken but makes use for this part) to block reflective XSS. http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx https://www.owasp.org/index.php/List_of_useful_HTTP_headers X-Content-Type-Options: Instructs Internet Explorer 8+ to not use content sniffing, a method similar to running GNU file (with MIME magic) on any downloaded content as a means of determining its content (and how it should be handled / parsed), overriding the Content-Type header sent by the webserver. I.e. a very silly idea in the first place, that's been in use by IE for years. http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx Content-Security-Policy: A measure to prevent XSS and other attacks. This one can be problematic if you tend to rely on remotely hosted content other than images and HTML5 audio/video. There are means to have browsers notify you when they run into situations where their interpretation of your sites' CSP restricts them from loading page content, though. And luckily the web pages on tails.boum.org do not seem to depend on much or any remotely hosted content, so you should be in one of the best imaginable positions to apply a CSP. Interpreted by Firefox, Chrome, Opera, Safari. http://www.w3.org/TR/CSP/ http://www.w3.org/TR/2014/WD-CSP11-20140211/ https://www.owasp.org/index.php/Content_Security_Policy https://github.com/oxdef/csp-tester http://developer.chrome.com/extensions/contentSecurityPolicy I'd be happy to discuss these in more detail with anyone interested in applying them. Especially the CSP header may require a closer look. I think it's worth the effort for this website, though. These headers should be reviewed about a year from now since hopefully more of them will be standardized and implemented by then. Namely X-Frame-Options and X-XSS-Protection should have been included into CSP at this time, and CSP 1.1 should be finalized (deprecating some elements of 1.0 I'm suggesting to use above). (On a side note, I'm now subscribed to tails-dev and should get to see any further discussion on this topic). Alster signature.asc Description: OpenPGP digital signature ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
