Privatebin: No preview shows for any options on fresh install in Chrome

Created on 14 Aug 2019  Â·  32Comments  Â·  Source: PrivateBin/PrivateBin


Steps to reproduce

  1. Visit https://bin.smr82.net
  2. Enter data in text area

What happens

  1. Nothing shows in preview tab

What should happen

  1. Preview should contain the text entered or source code highlighted

Additional information

Basic information


Server address: https://bin.smr82.net


Server OS: Ubuntu 18.04


Webserver: nginx 1.15.8, PHP 7.2.20


Browser: Version 76.0.3809.100


PrivateBin version: 1.3

I can reproduce this issue on https://privatebin.net: No

bug

All 32 comments

Chrome/Chromium?

Version 67.0.3396.87 without issues.
image
image

Please check developer consiole.

Same here

Broken in Chrome Version 78.0.3880.4 (Official Build) dev (64-bit) on Win10 1903 x64

Nothing reported in Console

Fine on Edge and IE shows loading forever (odd, since nothing about IE at FAQ @ https://github.com/PrivateBin/PrivateBin/wiki/FAQ - Seems IE not supported, should say that

Edit: @r4sas , Chrome 67 is from May 2018 @ https://en.wikipedia.org/wiki/Google_Chrome_version_history

You really better upgrade or risk getting "hacked" quickly.

Same here

Any screenshots? And of page HTML too if possible.
Maybe here any style problem?

You really better upgrade or risk getting "hacked" quickly.

I know which sites I visit, so that doesn’t threaten me.

odd, since nothing about IE at FAQ

All info was in release news: https://privatebin.info/news/v1.3-release.html but yes, need to add info in faq too.

@ssx & @war59312 - I tried to reproduce this on https://bin.smr82.net, it works on Firefox 68.0.2 and Chromium 76.0.3809.100 on Ubuntu 18.04. Since you seem to only have this issue on that server, but not on privatebin.net (the demo site running the 1.3 docker container), is it maybe a plugin that interferes with just that one URL for some reason?

I can't debug it, if I can't reproduce this, unfortunately. :-(

That’s an odd one! I’ll see if I can debug further to shed some light on it.

From: El RIDO notifications@github.com notifications@github.com
Reply: PrivateBin/PrivateBin
reply@reply.github.com
reply@reply.github.com
Date: 17 August 2019 at 09:16:44
To: PrivateBin/PrivateBin privatebin@noreply.github.com
privatebin@noreply.github.com
CC: Scott Robinson scott@dor.ky scott@dor.ky, Mention
mention@noreply.github.com mention@noreply.github.com
Subject: Re: [PrivateBin/PrivateBin] [bug] No preview shows for any
options on fresh install (#483)

@ssx https://github.com/ssx & @war59312 https://github.com/war59312 - I

tried to reproduce this on https://bin.smr82.net, it works on Firefox
68.0.2 and Chromium 76.0.3809.100 on Ubuntu 18.04. Since you seem to only
have this issue on that server, but not on privatebin.net (the demo site
running the 1.3 docker container), is it maybe a plugin that interferes
with just that one URL for some reason?

I can't debug it, if I can't reproduce this, unfortunately. :-(

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/PrivateBin/PrivateBin/issues/483?email_source=notifications&email_token=AAB6HKNCDE632BAN7FMDYNTQE6XWZA5CNFSM4ILYXP42YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4QGFSI#issuecomment-522216137,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAB6HKOWOO5YX2I4YVKFV6TQE6XWZANCNFSM4ILYXP4Q
.

FYI, mine is at https://www.war59312.com/bin/

No plugins installed. Pretty much default install, other than name

BTW, it's not just the preview. After I create the paste, it shows up blank as well.

@war59312 cannot reproduce on Windows 10.
Chrome Version 76.0.3809.100 (Official Build) (64-bit)

Same with my install - default install and that tab just doesn't work at all.

Chrome Version 76.0.3809.100.

Same in normal and incognito mode.

On Mon, Aug 19, 2019 at 1:58 AM Haocen notifications@github.com wrote:
>

@war59312 cannot reproduce on Windows 10.
Chrome Version 76.0.3809.100 (Official Build) (64-bit)

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

@ssx do you happen to see anything in developer console?

OK, I'll keep trying to duplicate.

FYI, happens on https://privatebin.net/ too for me

@war59312 can you take a look in developer console?

Well a second ago it was blank on privatebin.net but now I just got:

Refused to load the font 'data:font/woff;base64,d09GRgABAAAAAGVUABEAAAAAxuQAAQABAAAAAAAAAAAAAAAAAAAAAAAAAABHREVGAAABgAAAAC4AAAA0ArgC7UdQT1MAAAGwAAAQ6AAALgxKsqRTR1NVQgAAEpgAAAH3AAAELqI5y+RPUy8yAAAUkAAAAE8AAABgaGyBu2NtYXAAABTgAAABlAAAAkQkRATXY3Z0IAAAFnQAAABeAAAAugDsQf1mcGdtAAAW1AAABZcAAAvNb3/BHGdhc3AAABxsAAAACAAAAAgAAAAQZ2x5ZgAAHHQAAEApAAB3CtbiupxoZWFkAABcoAAAADYAAAA2BkubWWhoZWEAAFzYAAAAIAAAACQHFARfaG10eAAAXPgAAAI6AAAEEk4TN4Nsb2NhAABfNAAAAhIAAAISiLhpam1heHAAAGFIAAAAIAAAACACigzgbmFtZQAAYWgAAACUAAABHhQGLdJwb3N0AABh/AAAAq4AAASRk5y6n3ByZ...QxUajCCFt4p9HP4fzdSWs2XhWl5HvJazrIrFUyB0l5dpqcW10lV2wukjMLuAvyMHNiYpgPsrCVXZDKrkpll6UWkh7kABVAFVCDe7UFmxagDegA+hLHRPbqtMo7ZHCpKdT6tPGXybzo0+RXBLoPZt1tELcXxCmAAyZwYTJvdDFZKnDER44X2451rDqCyunIsRWvLSx6wnWqwPj/uX5/KuEy6DL0z6A/Fn79VihxMFJsrlAFy4DpZOcvNlMeNp+BRDLj0r+XFdRxdSNSNxiI/AL3ojKdAAB4AWPw3sFwIihiIyNjX+QGxp0cDBwMyQUbGdictkUwWDAwsDJogTgOPN4c9iz6bMos4iysHFChUDZXJnMWTSZZJrAQt9M+YQYBBh4GTgY2kEZOoJiA0z4GBxiEiDEzuGxUYewIjNjg0BGxkTnFZaMaiLeLo4GBkcWhIzkkAqQkEggceHw5HFkM2VRZJFlYebR2MP5v3cDSu5GJwWUDW9xG1hQXAFAmKZU=' because it violates the following Content Security Policy directive: "font-src 'self'".

Refused to load the font 'data:application/font-woff2;charset=utf-8;base64,d09GMgABAAAAAGhEABIAAAABHTwAAGfcAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGkIb6mQchSwGYACHRggiCYRlERQKg4kcguJFC4R0AAE2AiQDiWQEIAWUNQeKcAyBP1s1BnGGvLUbRYp/twNW4z5vtdmB2u0osd3MvxYnx3XQHRzHVCy7s////z8nqYyxbeb+AyloVrAyLCITWUY5YTREN4p6VWFQr6R4m1riOFCoc1aZTTaMFUFGONjoCA4jQwQbtjmumdTkcfBiYykrw8oZynDdIuENbUxvGnuco8suSg/tPRwfWbe4d14bDvnZ5pkzdW061zFEPqlWcqN4Sb5oTJwI9vlNU+aFQsCZcKeraCZ+Zxulrbqq1aTb5uXdjLccpmaKCAQb5z9NtmnQjeZ6zb9svOnmSOkMzMnfQnAzfr2MZyW7Z+miWF9c/MxsIhHqyZ...gSr+kPN6pJ2WULfJstA8ys+fXvWSfdUgOZZZFVNtnlkFM+MuQqvxsxRXk74aDe62qFog2l497IdVSkgnuSuZBPvBNxA5FS8dqb0krk0YauAVcc0G0rEaGc8inDVshehi1uRTe/6/PpxSKx+JAr+a/AKUcQKlfD3xqYTO0V15WQTCbedAFyJK+16Gr8ZDsk3C1EmdzwRgoCCqxQ5IurMgnc7UEWC3lNOBQyuGQVeoO3kCtWaeBP4yQ3MJwkYOQKs3Xz2EgjVR5EXVd3NzZcpQx6oiDJLEkkErhbLY8Mm6isNbcXOkShjS7ETGY7+I07vYwO0WUWVuwu5trmdR35WKjfwe+2CnV/lWU6xRbsQA0Ghc3JbNkuqd/SW2ShEtUI8gNk/9ozBJngXXdNNqkiy1uFHuhWpaRbBMnwkjeuDe+DYNgLSWTPCVdrASJuREpG2EbENUhiQ4JmoulkSkRB5NolgmsHIsmhFItZRN2E/BxJbUItQ7SNpTRTAd0QAA==' because it violates the following Content Security Policy directive: "font-src 'self'".

Cool! I believe the content security policy is the root cause, any chance you modify your own deployment and replace the following part:
font-src 'self'
With:
font-src 'self' data:

To be clear that was on privatebin.net that gave the above errors. So looks like it needs to be fixed.

On my own site, it's already set correctly, as in:

cspheader = "default-src 'none'; manifest-src 'self'; connect-src *; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self' data:; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals"

And nothing in crome console being reported on my site.

Note, even with the above option off, I still get blank previews/ posts.

Alright, I can confirm this is probably caused by one of your browser plug-ins where it try to load something on the page you're reading.

Some antivirus such as Kaspersky also does this.

No antivirus and happens with all Extensions disabled.

No proxy, no ad filtering, no nothing.

Also, I meant to say. Old version, 1.2.1, does NOT have this issue.

That is https://www.war59312.com/oldbin/ works fine. Preview and posts show up fine.

Ok I'm allocating resource for reproducing the bug now.

Will install Ubuntu 18.04 and Chrome next.

Do you mind take a screenshot of what it looks like?

What operation system and browser combination are you using as a client to access the privatebin?

Windows 10 1903 now with Chrome Version 78.0.3887.7 (Official Build) dev (64-bit)

Version 1.2.1 @ https://www.war59312.com/oldbin/ working correctly:

1 2 1

Version 1.3 @ https://www.war59312.com/bin/ NOT working correctly:

1 3

Thank you!

Just boot into install mode with
en_windows_10_consumer_editions_version_1903_x64_dvd_b980e68c.iso

Why is a font loaded via a data string? The only fonts I know we use in the project are the ones from bootstrap, so the CSP rule font-src 'self' should be sufficient. It really looks like something is injecting content into your browser tab that isn't from us. Pretty scary! :fearful:

@elrido , doesn't sound good.. I'll check into it.

Though, for sure looks like a font:

Font

I'm able to reproduce the bug, it seemed the bug is introduced in Chrome dev branch.

And it is NOT related to font loaded via data url during my test, no error printed in my console.

Need more time to investigate and record videos.

Pin point the problem to be related to jQuery, during a call to DOMPurify.sanitize on following line:

https://www.war59312.com/bin/js/privatebin.js?1.3:2217

Where the code is:

sanitizedLinkedText = DOMPurify.sanitize(escapedLinkedText);

Detailed error:

message: "Failed to execute 'invoke' on 'CreateHTMLCallback': The provided callback is no longer runnable."
stack: "Error: Failed to execute 'invoke' on 'CreateHTMLCallback': The provided callback is no longer runnable.↵    at Function.u.sanitize (https://www.war59312.com/bin/js/purify-1.0.11.js:1:7723)↵    at eval (eval at parsePaste (https://www.war59312.com/bin/js/privatebin.js?1.3:2218:13), <anonymous>:1:33)↵    at parsePaste (https://www.war59312.com/bin/js/privatebin.js?1.3:2218:13)↵    at Object.jQuery.PrivateBin.me.run (https://www.war59312.com/bin/js/privatebin.js?1.3:2371:17)↵    at HTMLAnchorElement.viewPreview (https://www.war59312.com/bin/js/privatebin.js?1.3:2058:25)↵    at HTMLAnchorElement.dispatch (https://www.war59312.com/bin/js/jquery-3.4.1.js:2:42571)↵    at HTMLAnchorElement.v.handle (https://www.war59312.com/bin/js/jquery-3.4.1.js:2:40572)"

In 1.2.1 the return value of DOMPurify.sanitize is:
correct return value

In 1.3 the return value of DOMPurify.sanitize is:
broken return value

en_windows_10_consumer_editions_version_1903_x64_dvd_b980e68c.iso
Windows 10 Pro
1903
18362.30

Google Chrome
Version 78.0.3887.7 (Official Build) dev (64-bit)

@ssx Could you please kindly let us know the version of Chrome you're running?

Ok, that would explain why it affects only 1.3: We upgraded the purify JS version from 1.0.7 to 1.0.11. If this does hit mainstream Chrome(ium) versions, lets open a ticket with the upstream and when they fixed it, release a fixed version in 1.3.1.

For reference, in Chromium 76.0.3809.100 I can't (yet) reproduce the issue.

The font problem shouldn't prevent the app to run and may stem from plugins like Grammarly or Web of Trust.

Chrome Version 76.0.3809.100 (Official Build) (64-bit)

On Sat, Aug 24, 2019 at 5:40 AM El RIDO notifications@github.com wrote:

Ok, that would explain why it affects only 1.3: We upgraded the purify JS
version from 1.0.7 to 1.0.11. If this does hit mainstream Chrome(ium)
versions, lets open a ticket with the upstream and when they fixed it,
release a fixed version in 1.3.1.

For reference, in Chromium 76.0.3809.100 I can't (yet) reproduce the issue.

The font problem shouldn't prevent the app to run and may stem from
plugins like Grammarly https://stackoverflow.com/a/50672596 or Web of
Trust https://stackoverflow.com/a/52154024.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/PrivateBin/PrivateBin/issues/483?email_source=notifications&email_token=AAB6HKJ3FJLOR65LQLN4O3DQGC3SZA5CNFSM4ILYXP42YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5BYQ2Y#issuecomment-524519531,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAB6HKM2AHCUP7UVNLELUADQGC3SZANCNFSM4ILYXP4Q
.

OK, thanks for double confirming, I saw you put in the same version in the main issue, just want to make sure.

I just tried following combination:
Chrome Version 76.0.3809.100 (Official Build) (64-bit)
Mac OS 10.14.6 (18G87)

With your website https://bin.smr82.net but was not able to reproduce the problem.

I'm allocating resource to test it on Windows.

Hi @ssx ,
I'm afraid your problem is a different one, I just tested on Windows pro 1903 with Chrome Version 76.0.3809.100 (Official Build) (64-bit) and was not able to reproduce it neither:
test on windows

Allright, @rugk pointed us to the solution to the puzzle: As of Chrome 77 this (in all other browsers completely unsupported) feature is enabled by default and the upstream released a patch for this with DOMpurify 2.0.0. See https://github.com/cure53/DOMPurify/issues/361 for the details.

Have to say, Chrome devs start to really behave like the IE ones back in the Netscape/IE browser war of the 90ies. Create their own standards, implement them without coordination with W3C, etc.

Anyhow, I'll add a reminder to upgrade DOMpurify in the next dot release.

FYI working again as of:

Google Chrome Version 78.0.3904.9 (Official Build) dev (64-bit)

So closing this as fixed.

Was this page helpful?
0 / 5 - 0 ratings