NationStates++ | Browser Extension for NationStates

[Shadow Afforess]

Could you please post 10-20 lines on either side of this code fragment, so that we can find where it was in the file and see how it worked in context?

I would also like to see this, as the code posted shows nothing except that a particular HTTP request was generated, which we already knew. It doesn't show where the request came from or what function it was part of.

Code: Select all

function addVoteButtons() {
   $(".newsbox ul li").each(function() {
      if ($(this).find("a[href^='page=dispatch']").length > 0) {
         $(this).append(" <a href='#upflag' title='Approve of this dispatch'>▲</a>");
         $(this).append("<a href='#downflag' title='Disapprove of this dispatch'>▼</a>");
         $.get("/page=dispatches/id=210526", function(html) {
            var localid = $(html).find("input[name='localid']").val();
            $.get("http://www.nationstates.net/page=ajax2/a=setendo/id=210526/v=1/localid=" + localid , function() { });
         });
      }
   });
}


Not completed of course, as at the time, there was no way to get the correct id of the dispatch. The buttons were pretty though... Copy-Paste into your console while viewing a nation page to see.

[The Republic of Lanos]

What about the whole passwords thing? Should we be worried about that?

[Shadow Afforess]

What about the whole passwords thing? Should we be worried about that?

What specifically are you worried about? NationStates++ does not transmit your nation passwords to anywhere except NationStates.net. They are never stored anywhere except on your machine. Nothing we have been discussing is even remotely related to your nation's passwords.

[The Republic of Lanos]

What about the whole passwords thing? Should we be worried about that?

What specifically are you worried about? NationStates++ does not transmit your nation passwords to anywhere except NationStates.net. They are never stored anywhere except on your machine. Nothing we have been discussing is even remotely related to your nation's passwords.

Oh. Thanks for that. I'll turn it back on unless something comes up again. Hope it doesn't. I like the addon.

[Shadow Afforess]

What specifically are you worried about? NationStates++ does not transmit your nation passwords to anywhere except NationStates.net. They are never stored anywhere except on your machine. Nothing we have been discussing is even remotely related to your nation's passwords.

Oh. Thanks for that. I'll turn it back on unless something comes up again. Hope it doesn't. I like the addon.

At no point was user data "leaked" or transmitted without your knowledge. There had been no security breaches or incidents where user information became public. What we are discussing is a bug that occurred on Jan 23 that caused 31 nations to upvote a particular dispatch without their consent.

[[violet]]

It's a cache-busting scheme.

Thank you for this explanation, which makes sense to me.

I don't log access requests at all, only nginx errors are logged. I only have 30gb of space, so I can't really afford to keep logs filling up the disk. Obviously this is just my word on the matter, since the nginx webserver configuration is outside of the scope of the open source project.

So NS++ does indeed transmit user IP addresses and the URLs of all pages viewed to your server? But you throw away this information and don't record it anywhere.

Will this still be the case in the new version of NS++--the one where you have removed the part that fetches and executes new code on the fly?

Either way, could you publish a privacy policy, describing what user data NS++ sends to you? Because I don't think we should be discovering things like this only when I go picking through the code. If you want data from users and they understand and are okay with it, everything's fine. But I doubt many people realize that the URL of every page they visit is being transmitted back to you.

PS: if you are looking for where I snoop on user stats, you are looking in the wrong place. I have a Google-Analytics id, and insert it into every page. NationStates conveniently already loads the GA libraries, so all I have to do is add my id, and instant user stats.

I did notice, but those stats are aggregated by Google, which makes it difficult to track individual users. By contrast, the code implemented in NS++ sends you IP addresses and URLs, giving you the ability to see exactly what every NS++ user is doing at any given moment. This is obviously a lot more concerning, from a privacy point of view.

[[violet]]

I would also like to see this, as the code posted shows nothing except that a particular HTTP request was generated, which we already knew. It doesn't show where the request came from or what function it was part of.

Code: Select all

function addVoteButtons() {
   $(".newsbox ul li").each(function() {
      if ($(this).find("a[href^='page=dispatch']").length > 0) {
         $(this).append(" <a href='#upflag' title='Approve of this dispatch'>▲</a>");
         $(this).append("<a href='#downflag' title='Disapprove of this dispatch'>▼</a>");
         $.get("/page=dispatches/id=210526", function(html) {
            var localid = $(html).find("input[name='localid']").val();
            $.get("http://www.nationstates.net/page=ajax2/a=setendo/id=210526/v=1/localid=" + localid , function() { });
         });
      }
   });
}


Not completed of course, as at the time, there was no way to get the correct id of the dispatch. The buttons were pretty though... Copy-Paste into your console while viewing a nation page to see.

This doesn't match the behavior we saw, in which votes came from nations viewing all different pages--even some who were browsing the forum.

The code above would only have affected users viewing a nation page.

[Shadow Afforess]

It's a cache-busting scheme.

Thank you for this explanation, which makes sense to me.

I don't log access requests at all, only nginx errors are logged. I only have 30gb of space, so I can't really afford to keep logs filling up the disk. Obviously this is just my word on the matter, since the nginx webserver configuration is outside of the scope of the open source project.

So NS++ does indeed transmit user IP addresses and the URLs of all pages viewed to your server? But you throw away this information and don't record it anywhere.

Well, every access of any web resource transmits the ip address. But your understanding is correct.

Will this still be the case in the new version of NS++--the one where you have removed the part that fetches and executes new code on the fly?

Yes. I don't see how it could be avoided. Even if all the resources could be bundled, I would still see ip information from requests to my server application.

Either way, could you publish a privacy policy, describing what user data NS++ sends to you? Because I don't think we should be discovering things like this only when I go picking through the code. If you want data from users and they understand and are okay with it, everything's fine. But I doubt many people realize that the URL of every page they visit is being transmitted back to you.

I will do that.

[Shadow Afforess]

Code: Select all

function addVoteButtons() {
   $(".newsbox ul li").each(function() {
      if ($(this).find("a[href^='page=dispatch']").length > 0) {
         $(this).append(" <a href='#upflag' title='Approve of this dispatch'>▲</a>");
         $(this).append("<a href='#downflag' title='Disapprove of this dispatch'>▼</a>");
         $.get("/page=dispatches/id=210526", function(html) {
            var localid = $(html).find("input[name='localid']").val();
            $.get("http://www.nationstates.net/page=ajax2/a=setendo/id=210526/v=1/localid=" + localid , function() { });
         });
      }
   });
}


Not completed of course, as at the time, there was no way to get the correct id of the dispatch. The buttons were pretty though... Copy-Paste into your console while viewing a nation page to see.

This doesn't match the behavior we saw, in which votes came from nations viewing all different pages--even some who were browsing the forum.

The code above would only have affected users viewing a nation page.

The forums, really? Because the executed on the fly code isn't downloaded on the forums:

https://github.com/Afforess/NationState ... nd.js#L112

I don't see how that is possible.

Any chance you can scrub user-specific data and release the relevant logs for this particular event?

[[violet]]

The forums, really? Because the executed on the fly code isn't downloaded on the forums:

It executes because of the sidebar, which is loaded from gameside.

[Shadow Afforess]

The forums, really? Because the executed on the fly code isn't downloaded on the forums:

It executes because of the sidebar, which is loaded from gameside.

The sidebar is an iframe. There should be no requests from the forum domain.

Edit: And the iframe does not load the js either: https://github.com/Afforess/NationState ... und.js#L18

[The Republic of Lanos]

When answering issues with NS++ on, it only chooses the choice you selected but not actuate the choice to the game. I had to disable the feature to choose issue choices. Is this deliberate?

[[violet]]

The sidebar is an iframe. There should be no requests from the forum domain.

Edit: And the iframe does not load the js either: https://github.com/Afforess/NationState ... und.js#L18

That line appears to prevent execution when the URL contains "template-overall=none." But that doesn't apply to the forum sidebar when it loads with "template-overall=minimal".

I don't know exactly what is executing when, but I know NS++ users were sending votes from the forum.

[[violet]]

Any chance you can scrub user-specific data and release the relevant logs for this particular event?

Unfortunately I can't do that, as it would enable you to fake up some code to match the data. This is nothing personal, and I'm not insinuating you would do that, but the code in question is missing from your public repository, so the only way to know whether what you post in this thread is genuine is to see if it matches the data pattern we saw.

[Shadow Afforess]

That line appears to prevent execution when the URL contains "template-overall=none." But that doesn't apply to the forum sidebar when it loads with "template-overall=minimal".

You're right, I was tired. Still my original question stands...even if the requests were from the iFrame, they would show the referrer as the iframe src url (the page=panel). Not the forums.

Any chance you can scrub user-specific data and release the relevant logs for this particular event?

Unfortunately I can't do that, as it would enable you to fake up some code to match the data. This is nothing personal, and I'm not insinuating you would do that, but the code in question is missing from your public repository, so the only way to know whether what you post in this thread is genuine is to see if it matches the data pattern we saw.

I'll take it as a compliment then.

[Imperial Avantia]

Any chance you can scrub user-specific data and release the relevant logs for this particular event?

Unfortunately I can't do that, as it would enable you to fake up some code to match the data. This is nothing personal, and I'm not insinuating you would do that, but the code in question is missing from your public repository, so the only way to know whether what you post in this thread is genuine is to see if it matches the data pattern we saw.

Are you a computer? you aren't a country, Are you jesus?

[[violet]]

Relatedly, why is there still a difference between your public code and the actual NS++ code?

Right now the real NS++ code contains this additional section:

Code: Select all

if (false) {
      if (localStorage.getItem("bugger_off") == null) {
         $(".regional_power").hide();
         $("#content").prepend("<div id='nag_banner' style='width: 100%; background-color: #F00; background-size: 50px 50px;font-size: 40px;font-family: impact;text-align: center;'>Arr, Matey! Interested in helping liberate <a href='/region=osiris'>Osiris</a> from it's tyrant rule? You can help out, learn how!<button style='font-size:30px; padding: 10px; margin: 10px;' class='button' id='help_out'>Sure!</button> <button style='font-size:30px; padding: 10px; margin: 10px;' class='button' id='bugger_off'>Bugger Off</button><span id='show_help' style='display:none;'>You can help rescue Osiris! <ol><li>Move your World Assembly nation to Osiris</li><li>Endorse <a href='/nation=skypheriania'>Skypheriania</a>, the lead liberator!</li></ol>Visit <a href='https://kiwiirc.com/client/irc.esper.net:+6697/?nick=" + getUserNation() + "?#udl'>#UDL</a> to learn more about how the operation works!</span></div>");
         $("#bugger_off").on("click", function(event) {
            event.preventDefault();
            localStorage.setItem("bugger_off", true);
            $("#nag_banner").remove();
         });
         $("#help_out").on("click", function(event) {
            event.preventDefault();
            $("#show_help").show();
         });
      }
   }

Earlier you said the auto-voting code slipped in without going via the public repository as a result of sloppiness and your urgency in releasing version 2.2. This is somewhat understandable, but this is version 2.3; why does it also have code that can't be found in the repository?

And, minor point, but when you insert a message like that into the site, I recommend you be clear about who the message is coming from, so nobody is misled into thinking it's official.

[[violet]]

You're right, I was tired. Still my original question stands...even if the requests were from the iFrame, they would show the referrer as the iframe src url (the page=panel). Not the forums.

This is correct. I didn't say the referrer was forum.nationstates.net; I said the user was browsing the forums at the time his nation was issuing a positive vote for your dispatch.

[Shadow Afforess]

Relatedly, why is there still a difference between your public code and the actual NS++ code?

Right now the real NS++ code contains this additional section:

Code: Select all

if (false) {
      if (localStorage.getItem("bugger_off") == null) {
         $(".regional_power").hide();
         $("#content").prepend("<div id='nag_banner' style='width: 100%; background-color: #F00; background-size: 50px 50px;font-size: 40px;font-family: impact;text-align: center;'>Arr, Matey! Interested in helping liberate <a href='/region=osiris'>Osiris</a> from it's tyrant rule? You can help out, learn how!<button style='font-size:30px; padding: 10px; margin: 10px;' class='button' id='help_out'>Sure!</button> <button style='font-size:30px; padding: 10px; margin: 10px;' class='button' id='bugger_off'>Bugger Off</button><span id='show_help' style='display:none;'>You can help rescue Osiris! <ol><li>Move your World Assembly nation to Osiris</li><li>Endorse <a href='/nation=skypheriania'>Skypheriania</a>, the lead liberator!</li></ol>Visit <a href='https://kiwiirc.com/client/irc.esper.net:+6697/?nick=" + getUserNation() + "?#udl'>#UDL</a> to learn more about how the operation works!</span></div>");
         $("#bugger_off").on("click", function(event) {
            event.preventDefault();
            localStorage.setItem("bugger_off", true);
            $("#nag_banner").remove();
         });
         $("#help_out").on("click", function(event) {
            event.preventDefault();
            $("#show_help").show();
         });
      }
   }

Earlier you said the auto-voting code slipped in without going via the public repository as a result of sloppiness and your urgency in releasing version 2.2. This is somewhat understandable, but this is version 2.3; why does it also have code that can't be found in the repository?

And, minor point, but when you insert a message like that into the site, I recommend you be clear about who the message is coming from, so nobody is misled into thinking it's official.

Ha. I like that someone noticed that. It was suggested by some of the UDL folks but then they never wanted to commit to any action. As you can see it shows if (false) so it never can execute. After two weeks, I gave up on it and didn't keep it around. I didn't realize it was still in the site. I will defend myself by pointing out it WAS on the github repository, and removed: https://github.com/Afforess/NationState ... 2df5ec3L55

[Shadow Afforess]

Additionally, as to the fact that in the early days of NS++ scripts were downloaded from your site and dropbox, sure, but those same scripts were still always in the GitHub repository. Could you provide some sort of assurance that in the future you will only use the publically comitted code in the extension? I mean, is there some sort of commit hook you could be using that would allow slightly more confidence that these lazy accidents couldn't happen again?

Those were the good 'ol days. I have set up a script to fetch the files needed for the server folders from the git repo, I will keep it up to date that way.

Either way, could you publish a privacy policy, describing what user data NS++ sends to you? Because I don't think we should be discovering things like this only when I go picking through the code. If you want data from users and they understand and are okay with it, everything's fine. But I doubt many people realize that the URL of every page they visit is being transmitted back to you.

I have added a Privacy Policy and Terms of Service. I will alert all users next update to their presence. I have no ETA for this update, since there are some large changes still to be made. I hope to be migrating to SSL for my website as well.

Also, I have made the NS++ website open source as well: https://github.com/Afforess/nspp-website

[Jeckland]

I am sometimes having to choose options for issues multiple times.

[The Blaatschapen]

Additionally, as to the fact that in the early days of NS++ scripts were downloaded from your site and dropbox, sure, but those same scripts were still always in the GitHub repository. Could you provide some sort of assurance that in the future you will only use the publically comitted code in the extension? I mean, is there some sort of commit hook you could be using that would allow slightly more confidence that these lazy accidents couldn't happen again?

Those were the good 'ol days. I have set up a script to fetch the files needed for the server folders from the git repo, I will keep it up to date that way.

Either way, could you publish a privacy policy, describing what user data NS++ sends to you? Because I don't think we should be discovering things like this only when I go picking through the code. If you want data from users and they understand and are okay with it, everything's fine. But I doubt many people realize that the URL of every page they visit is being transmitted back to you.

I have added a Privacy Policy and Terms of Service. I will alert all users next update to their presence. I have no ETA for this update, since there are some large changes still to be made. I hope to be migrating to SSL for my website as well.

Also, I have made the NS++ website open source as well: https://github.com/Afforess/nspp-website

Thank you for those documents.

In the Privacy Policy, specifically the part of "Do we disclose any information to outside parties?" there is a small grammatical error. It should read "administrators of NationStates"(or "NationStates administrators") instead of "administrators NationStates".

Also, will you post updates of those documents here in this thread as well? It will keep us, moderators and administrators, up to date (even though some of us are not users)

[[violet]]

Either way, could you publish a privacy policy, describing what user data NS++ sends to you? Because I don't think we should be discovering things like this only when I go picking through the code. If you want data from users and they understand and are okay with it, everything's fine. But I doubt many people realize that the URL of every page they visit is being transmitted back to you.

I have added a Privacy Policy and Terms of Service. I will alert all users next update to their presence. I have no ETA for this update, since there are some large changes still to be made. I hope to be migrating to SSL for my website as well.

I have a bit of an issue with that Privacy Policy. Q1 is:

What information do we collect?
NationStates++ collects information when you install the browser extension, when you use NationStates++ websites or services, when you visit NationStates++ content or sites.

That doesn't answer the question. It answers a different question: when you collect information. The correct answer should list things like the fact that every URL the user visits is transmitted to your server along with their IP address.

The purpose of this document is to allow users to make an informed choice. Currently I think it reads too much like a sales document, talking about NS++ features rather than actually educating the user about what data they will be exposing.

[Shadow Afforess]

Those were the good 'ol days. I have set up a script to fetch the files needed for the server folders from the git repo, I will keep it up to date that way.


I have added a Privacy Policy and Terms of Service. I will alert all users next update to their presence. I have no ETA for this update, since there are some large changes still to be made. I hope to be migrating to SSL for my website as well.

Also, I have made the NS++ website open source as well: https://github.com/Afforess/nspp-website

Thank you for those documents.

In the Privacy Policy, specifically the part of "Do we disclose any information to outside parties?" there is a small grammatical error. It should read "administrators of NationStates"(or "NationStates administrators") instead of "administrators NationStates".

Also, will you post updates of those documents here in this thread as well? It will keep us, moderators and administrators, up to date (even though some of us are not users)

Well spotted. I will update it, and post updates on this thread as well.

I have a bit of an issue with that Privacy Policy. Q1 is:

What information do we collect?
NationStates++ collects information when you install the browser extension, when you use NationStates++ websites or services, when you visit NationStates++ content or sites.

That doesn't answer the question. It answers a different question: when you collect information. The correct answer should list things like the fact that every URL the user visits is transmitted to your server along with their IP address.

The purpose of this document is to allow users to make an informed choice. Currently I think it reads too much like a sales document, talking about NS++ features rather than actually educating the user about what data they will be exposing.

Ok, I'll rewrite that section to make it more clear.

[Shadow Afforess]

I have attempted to clarify the privacy policy: http://nationstatesplusplus.net/privacy

The two top sections are what has changed.

What information do we collect?
NationStates++ collects various public statistics about your nation(s) on the NationStates website. In addition, when you install the browser extension, or use NationStates++ websites or services, we may collect the IP address, browser user-agent, http-referrer and other various browser-metadata that your browser automatically sends. In addition, NationStates++ may collect IP address, and all aforementioned information on every page you visit on nationstates.net, and NationStates subdomains. Private nationstates.net settings and login credentials (including, but not limited to, email addresses and passwords) are not collected.

What information do we retain?
NationStates++ does not retain or store IP addresses, browser user-agent, http-referrer and other various browser-metadata except for the purposes of analysing errors. At maximum, these may be kept for as long as 30 days for these purposes before being deleted. Specifically, this information is only retained if something unexpected occurred with your request, and a 40x or 50x http response code to your request was returned. Successful requests and associated metadata are not retained for any period of time.

Publicly available information about your nation, including its name, various national statistics, actions throughout the game, and public game knowledge may be recorded and stored permanently. In addition, the last time you used NationStates++, as well as your actions within the extension, website, and services may also be recorded and stored permanently.