Blocked by corporate firewall? #305
Comments
|
CDN? archive.fo? not really the problem of ZXCVBN. |
|
We're not using a CDN currently, we're just loading it directly from our site. So all the other JS on the site is being loaded, but zxcvbn is being blocked (I assume) due to the NSFW words when the firewall "scans" the file / request being loaded. I'm not really saying it's an "issue" with zxcvbn because it's just how it works, it needs those words in there to be useful, but wondered if anyone had any elegant solutions to more gracefully handle it. Or just throwing ideas out there, would it work having a separate shorter list of words which would potentially be blocked by firewalls handled differently, not stored in plaintext to be easily blocked by firewalls or something but encrypted in some way. Just interested to see how many other people are affected by this too - feels like it can't just be us so if there's loads I'd maybe have a look in my spare time to see if I can think of a solution. |
|
Save the repo in a ZIP file and send it as an email through the firewall? If ZXCVBN has to work correctly, the curse words have to be included. |
|
Oh.. no these are just users of our public website who are having problems. zxcvbn is already on the site and used successfully by hundreds / thousands of users successfully. We just have a "few" which get problems if they're accessing our website (well, setting their password) while they are behind a corporate firewall. Would need to test the performance impact, but I assume encrypting those curse words would be enough to get it through the firewall and downloaded onto the users browser, then it could be decrypt that list of words to use as it does now. Using some really light encryption algorithm to keep performance impact to a minimum. |
|
Perhaps add an exception to the corporate firewall? I am not a network engineer but that is the keyword you are looking for. |
|
As I said, it's a "public" website. We're not in control of their networks :) we can't track down and contact random users to tell them to unblock specific js scripts on our website unless they contact us and say "hey, your site is broken", and then we can reply, "no it's not, your firewall is being too strict" But how many of those users just never mention the issue and go elsewhere? :) Just trying to come up with potential solutions or at least start a discussion which might help everyone who uses this (assuming we're not some special case and the only people having this problem). |
|
I would like to seriously ask, does the firewall lay on the server-side, or the corporate user side? TBH this repo is only used to host the maths/statistic algorithm, and NOT for any type of deployment. all deployment has to be dealt with elsewhere. |
|
The firewall is between the random user using our website, and the internet (ie on their corporate network) |
|
Someone had a similiar problem #239 I don't wanna make advertising but you could use https://github.com/zxcvbn-ts/zxcvbn where you load the dictionary afterward. With it the core library to identify the strength of a password is always loaded and only the dictionary itself can be blocked. You could then load the dictionaries on the server, remove words that could be blocked and serve the new dictionary by yourself. |
|
Thanks, I've had a couple of good suggestions on StackOverflow which I'm going to try when I get time. Some of which are really simple but may just work :) https://stackoverflow.com/questions/67604985/javascript-file-blocked-by-a-corporate-firewall/ I particularly like the simplicity of this example, will be great if it actually gets around it! But we'll see.. |
|
One option to consider which may do the trick depending on your user base: When reports a problem, have a standard email saying something like, "This is a firewall thing, Please recommend to your IT people that they whitelist $URL. In the meantime, you can visit oursite.com/reset-password?zxcvbn=false to reset your password if you promise to set it to something secure (since that URL doesn't enforce password strength)". Or even perhaps if (!window.zxcvbn) {
window.alert('Seems like firewall is blocking.... Please append ?zxcvbn=false to the URL to get around your company's silly firewall rules');
} |
We implemented zxcvbn on our site (great work! Thanks!) but have had a couple of reports of it "not working" for some users, the zxcvbn script never loaded on their browser (using modern browsers like the latest version of Chrome for example).
It appears it's being blocked by corporate firewalls in some cases (assuming because of the swearwords and NSFW words in the dictionary list).
Has anyone else had this problem and are there any potential workarounds?
The text was updated successfully, but these errors were encountered: