Network error downloading js/script.js


#1

Hi.
I’m having this strange issue. Yesterday everything was ok, today it takes too much to download js/scripts.js (~500ms) and I’m receiving this error (on browser console):

(index):245 GET http://pbaglobaleaks-qas.publiacqua.it/js/scripts.js net::ERR_INCOMPLETE_CHUNKED_ENCODING 200 (OK)
loadjsfile @ (index):245
start_globaleaks @ (index):251
(anonymous) @ (index):258

And a blank page.
It looks like it takes too much to download the file, cuts the connection and the file is unreadable. Hitting refresh many times sometimes get the file and then all the other pages starts working too.

The environment is a fresh install of ubuntu 18.04 with the latest globaleaks and nothing more.
Any suggestion?

Is there a way to raise this timeout, if there is one? Or anything that I can troubleshoot?

Nico

PS: In inglese per aiutare chiunque altro abbia lo stesso problema :slight_smile:


#2

Thank you so much @nicola_covip,

i’m going to opening a ticket for this issue and post the link here.

For bug reporting please use directl our ticketing system: https://github.com/globaleaks/GlobaLeaks/issues


#3

@nicola_covip: i’m trying to reach the platform to make some tests but it seems not reachable from my side.

Which is the public ip of the server hosting the platform?

Which globaleaks version are you running?
Is globaleaks running behind a proxy server?
Is this a stock globaleaks or a modified version?

best,

Giovanni Pellerano


#4

Ciao Giovanni,

there is no public ip, the site is going to be visible only in the internal network of a big public company.
No proxy. Stock globaleaks 3.4.1.

N.


#5

Got it thank you; Can you provide me the Tor address instead?

Which browser are you using? do you have the same issue with alternate browsers?

Off topic but probably relevant to what you are reporting:
Are you considering to offer Internet exposure when the platform will be in production.
We may advise you on the specific topic as for compliance to 179/2017 and 231/2001 the platform should be made available to employees at large including and current/past providers that may not have access to the intranet of the company. As well it is best practice to let employees send submissons when they are more confident with (e.g. from home or an internet cafe, not exposed to the company closed circuits cameras) and this openness is proven to support transparency and ethic of the company.


#6
With the regards to the best practices of ISO 37001 for whistleblowing compliance with 179/2017, the internal audit officer and Organismo di Vigilianza must be made aware that:
  • Article 8.9 of section C of ISO 37001:2016 require to provide anonymity

  • Anonymity can’t be provided without public open-internet exposure AND with anonymous network support
    https://blog.torproject.org/italian-anti-corruption-authority-anac-adopts-onion-services

  • ANAC 2018 report demonstrate that >90% of whistleblowing reports happens early morning or late evening, outside the corporate network. Whistleblowing in public or private sector expose the very same dynamics. All private whistleblowing in the US is publicly internet exposed.

So, preventing access from outside it’s against the legal duty to follow industry standard best practices for whistleblowing mandated by 231/2001 with specific requirements of 179/2017.

@uaiz i suggest you to provide those references to the internal legal owner of the whistleblowing procedure, probably not yet aware of the intersection of international best practices (ISO 37001:2016) and technological deployments.

</NOT TECH POST>

Fabio


#7

Chrome net::ERR_INCOMPLETE_CHUNKED_ENCODING interesting errors:
https://bugs.chromium.org/p/chromium/issues/detail?id=461213

One of the solution was:
“Adding Content-length fix my problem. Thank you!”

Looking at GlobaLeaks header output there’s no Content-length header, maybe could be this?

Or we have Transfer-Encoding: Chunked while we may operate also on this disabling chunked encoding transfer for all javascript application boot-up? https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Transfer-Encoding


#8

Here it is:
http://2fi5fnhagrbuswza.onion

Anyway I have never had problems with the tor site, only accessing it by http I have the problem.

Thank you for the other advices.

N.


#9

Hi Nicola,

i opened also a github bug issue on https://github.com/globaleaks/GlobaLeaks/issues/2448 but we’re not yet able to reproduce the problem.

Would it be possible to knows:

  • Exact version of Chrome and Operating System
  • If you are going trough a Proxy to the GlobaLeaks system or with a direct connection
  • If, once you enable HTTPS, the error disappear?

GlobaLeaks is designed to be used in HTTPS and Tor, HTTP is a temporary situation meant to provide the ability to activate TLS certificate (by manually loading it or automatic activation with letsencrypt), so if you are using with HTTP in clear it maybe a untested and unsupported condition.

I am thinking that, if you are using it in HTTP in a corporate network, you maybe having a proxy server interfering somehow in the HTTP-protocol dialogue?

Would you be able to open-up only to our IP addresses or HTTP/password protected (GlobaLeaks support HTTP login/password protection from advanced settings) to carry on testing?

Fabio


#10
Google Chrome 70.0.3538.77 (Official Build) (64-bit)
Revision 0f6ce0b0cd63a12cb4eccea3637b1bc9a29148d9-refs/branch-heads/3538@{#1039}
OS Ubuntu 18.04.1 LTS

Tried also with Firefox Quantum 63.0.1 (64-bit).
There is no proxy between me and the server.

With https configured the problem is no longer present.


#11

Great! Thank you Nicola,

we will continue to investigate about the issue in HTTP and report on the ticket as soon that the issue is well understood.

best,

Giovanni