From ba3efefc7bd2879ee7b9a233981eb4d0fb81c903 Mon Sep 17 00:00:00 2001
From: rugk <rugk+git@posteo.de>
Date: Wed, 13 Feb 2019 11:59:07 +0100
Subject: [PATCH 01/18] Add warning for insecure HTTP

---
 js/privatebin.js | 65 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)

diff --git a/js/privatebin.js b/js/privatebin.js
index cf74733..52ea8f6 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -4436,6 +4436,7 @@ jQuery.PrivateBin = (function($, sjcl, Base64, RawDeflate) {
             TopNav.init();
             UiHelper.init();
             Uploader.init();
+            InitialCheck.init();
 
             // check whether existing paste needs to be shown
             try {
@@ -4465,6 +4466,70 @@ jQuery.PrivateBin = (function($, sjcl, Base64, RawDeflate) {
         return me;
     })(window, document);
 
+
+    /**
+     * initial (security) check
+     *
+     * @name   InitialCheck
+     * @param  {object} window
+     * @param  {object} document
+     * @class
+     */
+    var InitialCheck = (function (window, document) {
+        var me = {};
+
+        /**
+         * check if the connection is insecure
+         *
+         * @private
+         * @name   InitialCheck.isInsecureConnection
+         * @function
+         */
+        function isInsecureConnection()
+        {
+            const url = new URL(document.URL);
+
+            // HTTP is obviously insecure
+            if (url.protocol !== 'http:') {
+                return false;
+            }
+
+            // filter out actually secure connections over HTTP
+            if (
+                url.hostname.endsWith('.onion') ||
+                url.hostname.endsWith('.i2p')
+            ) {
+                return false;
+            }
+
+            // whitelist localhost for development
+            if (
+                url.hostname === 'localhost' ||
+                url.hostname === '127.0.0.1'
+            ) {
+                return false;
+            }
+
+            // totally INSECURE http protocol!
+            return true;
+        }
+
+        /**
+         * init on application start
+         *
+         * @name   InitialCheck.init
+         * @function
+         */
+        me.init = function()
+        {
+            if (isInsecureConnection()) {
+                Alert.showError('This instance is using an insecure connection! Please only use this for testing.');
+            }
+        }
+
+        return me;
+    })(window, document);
+
     return {
         Helper: Helper,
         I18n: I18n,

From fc914b4b8471287e6f7fb9c6511c8a2036801711 Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Mon, 17 Jun 2019 21:09:21 +0200
Subject: [PATCH 02/18] moved bad bot check into InitialCheck, changed old ie
 notice into generic update warning, when unsupported user agent is detected
 and made the other IE alert show in all versions as it is now entirely
 unsupported

---
 js/privatebin.js  | 161 ++++++++++++++++++++++++++++++----------------
 tpl/bootstrap.php |  12 ++--
 tpl/page.php      |  10 +--
 3 files changed, 116 insertions(+), 67 deletions(-)

diff --git a/js/privatebin.js b/js/privatebin.js
index 174e8da..cde6792 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -176,18 +176,6 @@ jQuery.PrivateBin = (function($, RawDeflate) {
     const Helper = (function () {
         const me = {};
 
-        /**
-         * blacklist of UserAgents (parts) known to belong to a bot
-         *
-         * @private
-         * @enum   {Object}
-         * @readonly
-         */
-        const BadBotUA = [
-            'Bot',
-            'bot'
-        ];
-
         /**
          * cache for script location
          *
@@ -365,25 +353,6 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             return baseUri;
         };
 
-
-        /**
-         * checks whether this is a bot we dislike
-         *
-         * @name   Helper.isBadBot
-         * @function
-         * @return {bool}
-         */
-        me.isBadBot = function() {
-            // check whether a bot user agent part can be found in the current
-            // user agent
-            for (let i = 0; i < BadBotUA.length; ++i) {
-                if (navigator.userAgent.indexOf(BadBotUA) >= 0) {
-                    return true;
-                }
-            }
-            return false;
-        }
-
         /**
          * wrap an object into a Paste, used for mocking in the unit tests
          *
@@ -4561,15 +4530,58 @@ jQuery.PrivateBin = (function($, RawDeflate) {
      * @param  {object} document
      * @class
      */
-    var InitialCheck = (function (window, document) {
+    var InitialCheck = (function () {
         var me = {};
 
+        /**
+         * blacklist of UserAgents (parts) known to belong to a bot
+         *
+         * @private
+         * @enum   {Array}
+         * @readonly
+         */
+        const badBotUA = [
+            'Bot',
+            'bot'
+        ];
+
+        /**
+         * blacklist of UserAgent versions known not to work with this application
+         *
+         * @private
+         * @enum   {Object}
+         * @readonly
+         */
+        const oldUA = [
+            {
+                'regex': /Chrome\/([0-9]+)/,
+                'minVersion': 57,
+            },
+            {
+                'regex': /Edge\/([0-9]+)/,
+                'minVersion': 16,
+            },
+            {
+                'regex': /Firefox\/([0-9]+)/,
+                'minVersion': 54,
+            },
+            {
+                'regex': /Opera\/.*Version\/([0-9]+)/,
+                'minVersion': 44,
+            },
+            {
+                'regex': /Version\/([0-9]+).*Safari/,
+                'minVersion': 11,
+            }
+        ];
+
         /**
          * check if the connection is insecure
          *
          * @private
          * @name   InitialCheck.isInsecureConnection
          * @function
+         * @return {bool}
          */
         function isInsecureConnection()
         {
@@ -4601,20 +4613,73 @@ jQuery.PrivateBin = (function($, RawDeflate) {
         }
 
         /**
-         * init on application start
+         * checks whether this is a bot we dislike
+         *
+         * @private
+         * @name   InitialCheck.isBadBot
+         * @function
+         * @return {bool}
+         */
+        function isBadBot() {
+            // check whether a bot user agent part can be found in the current
+            // user agent
+            for (let i = 0; i < badBotUA.length; ++i) {
+                if (navigator.userAgent.indexOf(badBotUA) >= 0) {
+                    return true;
+                }
+            }
+            return false;
+        }
+
+        /**
+         * checks whether this is an unsupported browser
+         *
+         * @private
+         * @name   InitialCheck.isOldBrowser
+         * @function
+         * @return {bool}
+         */
+        function isOldBrowser() {
+            for (let i = 0; i < oldUA.length; ++i) {
+                let result = oldUA[i]['regex'].exec(navigator.userAgent);
+                if (result && result[1] < oldUA[i]['minVersion']) {
+                    return true;
+                }
+            }
+            return false;
+        }
+
+        /**
+         * init on application start, returns an all-clear signal
          *
          * @name   InitialCheck.init
          * @function
+         * @return {bool}
          */
         me.init = function()
         {
+            // prevent bots from viewing a paste and potentially deleting data
+            // when burn-after-reading is set
+            if (isBadBot()) {
+                Alert.showError('I love you too, bot…');
+                return false;
+            }
+
+            if (isOldBrowser()) {
+                $('#oldnotice').toggle(true);
+                // execution will likely fail, but the user agent may be
+                // deliberately set to an incorrect value, so let it proceed
+            }
+
             if (isInsecureConnection()) {
                 Alert.showError('This instance is using an insecure connection! Please only use this for testing.');
             }
+
+            return true;
         }
 
         return me;
-    })(window, document);
+    })();
 
     /**
      * (controller) main PrivateBin logic
@@ -4663,18 +4728,6 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             Alert.hideLoading();
         };
 
-        /**
-         * shows how we much we love bots that execute JS ;)
-         *
-         * @name   Controller.showBadBotMessage
-         * @function
-         */
-        me.showBadBotMessage = function()
-        {
-            TopNav.hideAllButtons();
-            Alert.showError('I love you too, bot…');
-        }
-
         /**
          * shows the loaded paste
          *
@@ -4802,6 +4855,10 @@ jQuery.PrivateBin = (function($, RawDeflate) {
 
             // initialize other modules/"classes"
             Alert.init();
+            if (!InitialCheck.init()) {
+                // something major is wrong, stop right away
+                return;
+            }
             Model.init();
             AttachmentViewer.init();
             DiscussionViewer.init();
@@ -4811,7 +4868,6 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             Prompt.init();
             TopNav.init();
             UiHelper.init();
-            InitialCheck.init();
             z = (await zlib);
 
             // check whether existing paste needs to be shown
@@ -4822,19 +4878,12 @@ jQuery.PrivateBin = (function($, RawDeflate) {
                 return me.newPaste();
             }
 
-            // if delete token is passed (i.e. paste has been deleted by this access)
-            // there is no more stuf we need to do
+            // if delete token is passed (i.e. paste has been deleted by this
+            // access), there is nothing more to do
             if (Model.hasDeleteToken()) {
                 return;
             }
 
-            // prevent bots from viewing a paste and potentially deleting data
-            // when burn-after-reading is set
-            // see https://github.com/elrido/ZeroBin/issues/11
-            if (Helper.isBadBot()) {
-                return me.showBadBotMessage();
-            }
-
             // display an existing paste
             return me.showPaste();
         }
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index a53cdc7..c09fbd3 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -72,9 +72,9 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.10.js" integrity="sha512-CqskSFXERL38A1PJP9BlO04me7kmwgDIhN1+k24RoFiisEwXA0BMdm0lzJC7g5jCRZ4k5OYdOJGEqW9CwDl4CA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-RE9PlksCFEcNHrU0eXzMBdNahXuwzbJHdzmCFNR5LlXMK+bSE5f07qniZJcszcW8L0imdN7MFSsBHxXxVdaqqg==" crossorigin="anonymous"></script>
-		<!--[if lt IE 10]>
-		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-XBHCzQfUJpMdNvleyRI6rLt0Kvq4qvz0KOyUSOPbuEF9W4ihPFwCrwHyLS0XOxFmhAPbh81YPKCn1BPKXSQc2g==" crossorigin="anonymous"></script>
+		<!--[if IE]>
+		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;}</style>
 		<![endif]-->
 		<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
 		<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />
@@ -449,16 +449,16 @@ endif;
 					<?php echo htmlspecialchars($ERROR), PHP_EOL; ?>
 				</div>
 				<noscript>
-					<div id="noscript" role="alert" class="nonworking alert alert-<?php echo $isDark ? 'error' : 'warning'; ?>">
+					<div id="noscript" role="alert" class="alert alert-<?php echo $isDark ? 'error' : 'warning'; ?>">
 						<span class="glyphicon glyphicon-exclamation-sign" aria-hidden="true"></span>
 						<?php echo I18n::_('JavaScript is required for %s to work.<br />Sorry for the inconvenience.', I18n::_($NAME)), PHP_EOL; ?>
 					</div>
 				</noscript>
-				<div id="oldienotice" role="alert" class="hidden nonworking alert alert-danger">
+				<div id="oldnotice" role="alert" class="hidden alert alert-danger">
 					<span class="glyphicon glyphicon-alert" aria-hidden="true"></span>
 					<?php echo I18n::_('%s requires a modern browser to work.', I18n::_($NAME)), PHP_EOL; ?>
 				</div>
-				<div id="ienotice" role="alert" class="hidden alert alert-<?php echo $isDark ? 'error' : 'warning'; ?>">
+				<div id="ienotice" role="alert" class="hidden alert alert-danger">
 					<span class="glyphicon glyphicon-question-sign" aria-hidden="true"></span>
 					<?php echo I18n::_('Still using Internet Explorer? Do yourself a favor, switch to a modern browser:'), PHP_EOL; ?>
 					<a href="https://www.mozilla.org/firefox/">Firefox</a>,
diff --git a/tpl/page.php b/tpl/page.php
index 84aefd3..9cc7325 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -50,9 +50,9 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.10.js" integrity="sha512-CqskSFXERL38A1PJP9BlO04me7kmwgDIhN1+k24RoFiisEwXA0BMdm0lzJC7g5jCRZ4k5OYdOJGEqW9CwDl4CA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-RE9PlksCFEcNHrU0eXzMBdNahXuwzbJHdzmCFNR5LlXMK+bSE5f07qniZJcszcW8L0imdN7MFSsBHxXxVdaqqg==" crossorigin="anonymous"></script>
-		<!--[if lt IE 10]>
-		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-XBHCzQfUJpMdNvleyRI6rLt0Kvq4qvz0KOyUSOPbuEF9W4ihPFwCrwHyLS0XOxFmhAPbh81YPKCn1BPKXSQc2g==" crossorigin="anonymous"></script>
+		<!--[if IE]>
+		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;}</style>
 		<![endif]-->
 		<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
 		<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />
@@ -78,8 +78,8 @@ endif;
 			<h2 class="title"><?php echo I18n::_('Because ignorance is bliss'); ?></h2><br />
 			<h3 class="title"><?php echo $VERSION; ?></h3>
 			<noscript><div id="noscript" class="nonworking"><?php echo I18n::_('JavaScript is required for %s to work.<br />Sorry for the inconvenience.', I18n::_($NAME)); ?></div></noscript>
-			<div id="oldienotice" class="nonworking"><?php echo I18n::_('%s requires a modern browser to work.', I18n::_($NAME)); ?></div>
-			<div id="ienotice"><?php echo I18n::_('Still using Internet Explorer? Do yourself a favor, switch to a modern browser:'), PHP_EOL; ?>
+			<div id="oldnotice" class="nonworking"><?php echo I18n::_('%s requires a modern browser to work.', I18n::_($NAME)); ?></div>
+			<div id="ienotice" class="nonworking"><?php echo I18n::_('Still using Internet Explorer? Do yourself a favor, switch to a modern browser:'), PHP_EOL; ?>
 				<a href="https://www.mozilla.org/firefox/">Firefox</a>,
 				<a href="https://www.opera.com/">Opera</a>,
 				<a href="https://www.google.com/chrome">Chrome</a>…

From a67c9ab12939b4f91dd4c70bac9f482ed480f62d Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Mon, 17 Jun 2019 21:18:30 +0200
Subject: [PATCH 03/18] reworded the message, added the missing translation
 strings

---
 i18n/de.json      | 5 ++++-
 i18n/es.json      | 7 +++++--
 i18n/fr.json      | 7 +++++--
 i18n/hu.json      | 7 +++++--
 i18n/it.json      | 7 +++++--
 i18n/nl.json      | 7 +++++--
 i18n/no.json      | 5 ++++-
 i18n/oc.json      | 5 ++++-
 i18n/pl.json      | 5 ++++-
 i18n/pt.json      | 5 ++++-
 i18n/ru.json      | 5 ++++-
 i18n/sl.json      | 5 ++++-
 i18n/zh.json      | 5 ++++-
 js/privatebin.js  | 2 +-
 tpl/bootstrap.php | 2 +-
 tpl/page.php      | 2 +-
 16 files changed, 60 insertions(+), 21 deletions(-)

diff --git a/i18n/de.json b/i18n/de.json
index 7c81cc8..213e4bd 100644
--- a/i18n/de.json
+++ b/i18n/de.json
@@ -154,5 +154,8 @@
     "+++ no paste text +++": "+++ kein Paste-Text +++",
     "Could not get paste data: %s":
         "Text konnte nicht geladen werden: %s",
-    "QR code": "QR code"
+    "QR code": "QR code",
+    "I love you too, bot…": "I love you too, bot…",
+    "This website is using an insecure HTTP connection! Please use it only for testing.":
+        "This website is using an insecure HTTP connection! Please use it only for testing."
 }
diff --git a/i18n/es.json b/i18n/es.json
index fc98518..e4ff357 100644
--- a/i18n/es.json
+++ b/i18n/es.json
@@ -154,5 +154,8 @@
     "+++ no paste text +++": "+++ \"paste\" sin texto +++",
     "Could not get paste data: %s":
         "No se pudieron obtener los datos: %s",
-    "QR code": "Código QR"
-}
\ No newline at end of file
+    "QR code": "Código QR",
+    "I love you too, bot…": "I love you too, bot…",
+    "This website is using an insecure HTTP connection! Please use it only for testing.":
+        "This website is using an insecure HTTP connection! Please use it only for testing."
+}
diff --git a/i18n/fr.json b/i18n/fr.json
index 414a363..28916e7 100644
--- a/i18n/fr.json
+++ b/i18n/fr.json
@@ -163,5 +163,8 @@
     "+++ no paste text +++": "+++ pas de paste-text +++",
     "Could not get paste data: %s":
         "Could not get paste data: %s",
-    "QR code": "QR code"
-}
\ No newline at end of file
+    "QR code": "QR code",
+    "I love you too, bot…": "I love you too, bot…",
+    "This website is using an insecure HTTP connection! Please use it only for testing.":
+        "This website is using an insecure HTTP connection! Please use it only for testing."
+}
diff --git a/i18n/hu.json b/i18n/hu.json
index c12b71b..b421ec5 100644
--- a/i18n/hu.json
+++ b/i18n/hu.json
@@ -154,5 +154,8 @@
     "+++ no paste text +++": "+++ nincs beillesztett szöveg +++",
     "Could not get paste data: %s":
         "Could not get paste data: %s",
-    "QR code": "QR code"
-}
\ No newline at end of file
+    "QR code": "QR code",
+    "I love you too, bot…": "I love you too, bot…",
+    "This website is using an insecure HTTP connection! Please use it only for testing.":
+        "This website is using an insecure HTTP connection! Please use it only for testing."
+}
diff --git a/i18n/it.json b/i18n/it.json
index a612332..19d64c5 100644
--- a/i18n/it.json
+++ b/i18n/it.json
@@ -154,5 +154,8 @@
     "+++ no paste text +++": "+++ nessun testo nel messaggio +++",
     "Could not get paste data: %s":
         "Could not get paste data: %s",
-    "QR code": "QR code"
-}
\ No newline at end of file
+    "QR code": "QR code",
+    "I love you too, bot…": "I love you too, bot…",
+    "This website is using an insecure HTTP connection! Please use it only for testing.":
+        "This website is using an insecure HTTP connection! Please use it only for testing."
+}
diff --git a/i18n/nl.json b/i18n/nl.json
index c009bca..6e7b224 100644
--- a/i18n/nl.json
+++ b/i18n/nl.json
@@ -154,5 +154,8 @@
     "+++ no paste text +++": "+++ geen geplakte tekst +++",
     "Could not get paste data: %s":
         "Could not get paste data: %s",
-    "QR code": "QR code"
-}
\ No newline at end of file
+    "QR code": "QR code",
+    "I love you too, bot…": "I love you too, bot…",
+    "This website is using an insecure HTTP connection! Please use it only for testing.":
+        "This website is using an insecure HTTP connection! Please use it only for testing."
+}
diff --git a/i18n/no.json b/i18n/no.json
index 30accac..6b99aa5 100644
--- a/i18n/no.json
+++ b/i18n/no.json
@@ -154,5 +154,8 @@
     "+++ no paste text +++": "+++ ingen innleggstekst +++",
     "Could not get paste data: %s":
         "Kunne ikke hente utklippsdata: %s",
-    "QR code": "QR code"
+    "QR code": "QR code",
+    "I love you too, bot…": "I love you too, bot…",
+    "This website is using an insecure HTTP connection! Please use it only for testing.":
+        "This website is using an insecure HTTP connection! Please use it only for testing."
 }
diff --git a/i18n/oc.json b/i18n/oc.json
index dc4b02c..236e7ca 100644
--- a/i18n/oc.json
+++ b/i18n/oc.json
@@ -163,5 +163,8 @@
     "+++ no paste text +++": "+++ cap de tèxte pegat +++",
     "Could not get paste data: %s":
         "Recuperacion impossibla de las donadas copiadas : %s",
-    "QR code": "Còdi QR"
+    "QR code": "Còdi QR",
+    "I love you too, bot…": "I love you too, bot…",
+    "This website is using an insecure HTTP connection! Please use it only for testing.":
+        "This website is using an insecure HTTP connection! Please use it only for testing."
 }
diff --git a/i18n/pl.json b/i18n/pl.json
index 5391bce..253882f 100644
--- a/i18n/pl.json
+++ b/i18n/pl.json
@@ -154,5 +154,8 @@
     "+++ no paste text +++": "+++ brak wklejonego tekstu +++",
     "Could not get paste data: %s":
         "Nie można było pobrać danych wklejki: %s",
-    "QR code": "Kod QR"
+    "QR code": "Kod QR",
+    "I love you too, bot…": "I love you too, bot…",
+    "This website is using an insecure HTTP connection! Please use it only for testing.":
+        "This website is using an insecure HTTP connection! Please use it only for testing."
 }
diff --git a/i18n/pt.json b/i18n/pt.json
index 108e743..1888d2e 100644
--- a/i18n/pt.json
+++ b/i18n/pt.json
@@ -154,5 +154,8 @@
     "+++ no paste text +++": "+++ sem texto de cópia +++",
     "Could not get paste data: %s":
         "Could not get paste data: %s",
-    "QR code": "QR code"
+    "QR code": "QR code",
+    "I love you too, bot…": "I love you too, bot…",
+    "This website is using an insecure HTTP connection! Please use it only for testing.":
+        "This website is using an insecure HTTP connection! Please use it only for testing."
 }
\ No newline at end of file
diff --git a/i18n/ru.json b/i18n/ru.json
index 9499ed5..aa4c7bb 100644
--- a/i18n/ru.json
+++ b/i18n/ru.json
@@ -164,5 +164,8 @@
     "+++ no paste text +++": "+++ в записи нет текста +++",
     "Could not get paste data: %s":
         "Не удалось получить данные записи: %s",
-    "QR code": "QR code"
+    "QR code": "QR code",
+    "I love you too, bot…": "I love you too, bot…",
+    "This website is using an insecure HTTP connection! Please use it only for testing.":
+        "This website is using an insecure HTTP connection! Please use it only for testing."
 }
diff --git a/i18n/sl.json b/i18n/sl.json
index 66f9c01..e1ef2b6 100644
--- a/i18n/sl.json
+++ b/i18n/sl.json
@@ -163,5 +163,8 @@
     "+++ no paste text +++": "+++ no paste text +++",
     "Could not get paste data: %s":
         "Could not get paste data: %s",
-    "QR code": "QR code"
+    "QR code": "QR code",
+    "I love you too, bot…": "I love you too, bot…",
+    "This website is using an insecure HTTP connection! Please use it only for testing.":
+        "This website is using an insecure HTTP connection! Please use it only for testing."
 }
diff --git a/i18n/zh.json b/i18n/zh.json
index 305009c..6c6c771 100644
--- a/i18n/zh.json
+++ b/i18n/zh.json
@@ -154,5 +154,8 @@
     "+++ no paste text +++": "+++ 没有粘贴内容 +++",
     "Could not get paste data: %s":
         "无法获取粘贴数据：%s",
-    "QR code": "二维码"
+    "QR code": "二维码",
+    "I love you too, bot…": "I love you too, bot…",
+    "This website is using an insecure HTTP connection! Please use it only for testing.":
+        "This website is using an insecure HTTP connection! Please use it only for testing."
 }
diff --git a/js/privatebin.js b/js/privatebin.js
index cde6792..ca57eb5 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -4672,7 +4672,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             }
 
             if (isInsecureConnection()) {
-                Alert.showError('This instance is using an insecure connection! Please only use this for testing.');
+                Alert.showError('This website is using an insecure HTTP connection! Please use it only for testing.');
             }
 
             return true;
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index c09fbd3..9f2ff4f 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -72,7 +72,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.10.js" integrity="sha512-CqskSFXERL38A1PJP9BlO04me7kmwgDIhN1+k24RoFiisEwXA0BMdm0lzJC7g5jCRZ4k5OYdOJGEqW9CwDl4CA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-XBHCzQfUJpMdNvleyRI6rLt0Kvq4qvz0KOyUSOPbuEF9W4ihPFwCrwHyLS0XOxFmhAPbh81YPKCn1BPKXSQc2g==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-M0NIZDkl5ZzzzG1ISZjgrgKr2jMDZ7EeTfVAgj7YkkbU83pAddjfkjlak9dp5KsMZYFDw62052a+bT+PPJhMCA==" crossorigin="anonymous"></script>
 		<!--[if IE]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;}</style>
 		<![endif]-->
diff --git a/tpl/page.php b/tpl/page.php
index 9cc7325..a552e80 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -50,7 +50,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.10.js" integrity="sha512-CqskSFXERL38A1PJP9BlO04me7kmwgDIhN1+k24RoFiisEwXA0BMdm0lzJC7g5jCRZ4k5OYdOJGEqW9CwDl4CA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-XBHCzQfUJpMdNvleyRI6rLt0Kvq4qvz0KOyUSOPbuEF9W4ihPFwCrwHyLS0XOxFmhAPbh81YPKCn1BPKXSQc2g==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-M0NIZDkl5ZzzzG1ISZjgrgKr2jMDZ7EeTfVAgj7YkkbU83pAddjfkjlak9dp5KsMZYFDw62052a+bT+PPJhMCA==" crossorigin="anonymous"></script>
 		<!--[if IE]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;}</style>
 		<![endif]-->

From 42c20032204faf494cdb6e2d3cf99675b66c96ed Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Mon, 17 Jun 2019 21:40:37 +0200
Subject: [PATCH 04/18] made notice configurable, fixing a few CSS glitches

---
 cfg/conf.sample.php          |  3 +++
 css/bootstrap/privatebin.css |  7 +++----
 css/privatebin.css           |  4 ++--
 js/privatebin.js             |  3 +--
 lib/Configuration.php        |  1 +
 lib/Controller.php           |  1 +
 tpl/bootstrap.php            | 18 ++++++++++++++----
 tpl/page.php                 |  9 ++++++++-
 tst/ViewTest.php             |  1 +
 9 files changed, 34 insertions(+), 13 deletions(-)

diff --git a/cfg/conf.sample.php b/cfg/conf.sample.php
index fba5df8..b195e2a 100644
--- a/cfg/conf.sample.php
+++ b/cfg/conf.sample.php
@@ -77,6 +77,9 @@ languageselection = false
 ; sha256 in HMAC for the deletion token
 zerobincompatibility = false
 
+; enable or disable the warning message when the site is served over HTTP instead of HTTPS, defaults to true
+httpwarning = true
+
 [expire]
 ; expire value that is selected per default
 ; make sure the value exists in [expire_options]
diff --git a/css/bootstrap/privatebin.css b/css/bootstrap/privatebin.css
index 8355ac3..1c7bc28 100644
--- a/css/bootstrap/privatebin.css
+++ b/css/bootstrap/privatebin.css
@@ -81,12 +81,11 @@ body.loading {
 }
 
 .dragAndDropFile{
-        color:#777;
-        font-size:1em;
-        display:inline;
+	color:#777;
+	font-size:1em;
+	display:inline;
 }
 
-
 #deletelink {
 	float: right;
 	margin-left: 5px;
diff --git a/css/privatebin.css b/css/privatebin.css
index 5dab6c0..c7124e2 100644
--- a/css/privatebin.css
+++ b/css/privatebin.css
@@ -290,9 +290,9 @@ input {
 
 #ienotice a { color: #000; }
 
-#oldienotice { display: none; }
+#oldnotice, #httpnotice { display: none; }
 
-.errorMessage {
+#errormessage, .errorMessage {
 	background-color: #f77 !important;
 	color:#ff0;
 }
diff --git a/js/privatebin.js b/js/privatebin.js
index ca57eb5..5b39658 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -1651,7 +1651,6 @@ jQuery.PrivateBin = (function($, RawDeflate) {
          */
         me.hideMessages = function()
         {
-            // also possible: $('.statusmessage').addClass('hidden');
             $statusMessage.addClass('hidden');
             $errorMessage.addClass('hidden');
         };
@@ -4672,7 +4671,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             }
 
             if (isInsecureConnection()) {
-                Alert.showError('This website is using an insecure HTTP connection! Please use it only for testing.');
+                $('#httpnotice').toggle(true);
             }
 
             return true;
diff --git a/lib/Configuration.php b/lib/Configuration.php
index b6d7c41..8202c93 100644
--- a/lib/Configuration.php
+++ b/lib/Configuration.php
@@ -55,6 +55,7 @@ class Configuration
             'icon'                     => 'identicon',
             'cspheader'                => 'default-src \'none\'; manifest-src \'self\'; connect-src *; script-src \'self\' \'unsafe-eval\'; style-src \'self\'; font-src \'self\'; img-src \'self\' data: blob:; media-src blob:; object-src blob:; Referrer-Policy: \'no-referrer\'; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals',
             'zerobincompatibility'     => false,
+            'httpwarning'              => true,
         ),
         'expire' => array(
             'default' => '1week',
diff --git a/lib/Controller.php b/lib/Controller.php
index 142bb5b..09b257a 100644
--- a/lib/Controller.php
+++ b/lib/Controller.php
@@ -386,6 +386,7 @@ class Controller
         $page->assign('EXPIREDEFAULT', $this->_conf->getKey('default', 'expire'));
         $page->assign('URLSHORTENER', $this->_conf->getKey('urlshortener'));
         $page->assign('QRCODE', $this->_conf->getKey('qrcode'));
+        $page->assign('HTTPWARNING', $this->_conf->getKey('httpwarning'));
         $page->draw($this->_conf->getKey('template'));
     }
 
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index 9f2ff4f..c908cae 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -72,7 +72,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.10.js" integrity="sha512-CqskSFXERL38A1PJP9BlO04me7kmwgDIhN1+k24RoFiisEwXA0BMdm0lzJC7g5jCRZ4k5OYdOJGEqW9CwDl4CA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-M0NIZDkl5ZzzzG1ISZjgrgKr2jMDZ7EeTfVAgj7YkkbU83pAddjfkjlak9dp5KsMZYFDw62052a+bT+PPJhMCA==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-nuGweMxu6IG9HcczL7tf6dhR2vGKVaYuv7yC7ap+WsUnI6TMrdyQiT1dZG/k9JvnvW+ptJ+bFkuHpgec1gZ/DA==" crossorigin="anonymous"></script>
 		<!--[if IE]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;}</style>
 		<![endif]-->
@@ -440,11 +440,11 @@ if ($FILEUPLOAD):
 <?php
 endif;
 ?>
-				<div id="status" role="alert" class="statusmessage alert alert-info<?php echo empty($STATUS) ? ' hidden' : '' ?>">
+				<div id="status" role="alert" class="alert alert-info<?php echo empty($STATUS) ? ' hidden' : '' ?>">
 					<span class="glyphicon glyphicon-info-sign" aria-hidden="true"></span>
 					<?php echo htmlspecialchars($STATUS), PHP_EOL; ?>
 				</div>
-				<div id="errormessage" role="alert" class="statusmessage<?php echo empty($ERROR) ? ' hidden' : '' ?> alert alert-danger">
+				<div id="errormessage" role="alert" class="<?php echo empty($ERROR) ? 'hidden' : '' ?> alert alert-danger">
 					<span class="glyphicon glyphicon-alert" aria-hidden="true"></span>
 					<?php echo htmlspecialchars($ERROR), PHP_EOL; ?>
 				</div>
@@ -465,6 +465,16 @@ endif;
 					<a href="https://www.opera.com/">Opera</a>,
 					<a href="https://www.google.com/chrome">Chrome</a>…
 				</div>
+<?php
+if ($HTTPWARNING):
+?>
+				<div id="httpnotice" role="alert" class="hidden alert alert-danger">
+					<span class="glyphicon glyphicon-alert" aria-hidden="true"></span>
+					<?php echo I18n::_('This website is using an insecure HTTP connection! Please use it only for testing.'), PHP_EOL; ?>
+				</div>
+<?php
+endif;
+?>
 				<div id="pastesuccess" role="alert" class="hidden alert alert-success">
 					<span class="glyphicon glyphicon-ok" aria-hidden="true"></span>
 					<div id="deletelink"></div>
@@ -502,7 +512,7 @@ endif;
 				</div>
 			</section>
 			<section class="container">
-				<div id="noscript" role="alert" class="nonworking alert alert-info noscript-hide">
+				<div id="noscript" role="alert" class="alert alert-info noscript-hide">
 					<span class="glyphicon glyphicon-exclamation-sign" aria-hidden="true"></span>
 					<?php echo I18n::_('Loading…'); ?><br />
 					<span class="small"><?php echo I18n::_('In case this message never disappears please have a look at <a href="https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away">this FAQ for information to troubleshoot</a>.'); ?></span>
diff --git a/tpl/page.php b/tpl/page.php
index a552e80..a571cdb 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -50,7 +50,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.10.js" integrity="sha512-CqskSFXERL38A1PJP9BlO04me7kmwgDIhN1+k24RoFiisEwXA0BMdm0lzJC7g5jCRZ4k5OYdOJGEqW9CwDl4CA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-M0NIZDkl5ZzzzG1ISZjgrgKr2jMDZ7EeTfVAgj7YkkbU83pAddjfkjlak9dp5KsMZYFDw62052a+bT+PPJhMCA==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-nuGweMxu6IG9HcczL7tf6dhR2vGKVaYuv7yC7ap+WsUnI6TMrdyQiT1dZG/k9JvnvW+ptJ+bFkuHpgec1gZ/DA==" crossorigin="anonymous"></script>
 		<!--[if IE]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;}</style>
 		<![endif]-->
@@ -84,6 +84,13 @@ endif;
 				<a href="https://www.opera.com/">Opera</a>,
 				<a href="https://www.google.com/chrome">Chrome</a>…
 			</div>
+<?php
+if ($HTTPWARNING):
+?>
+			<div id="httpnotice" class="errorMessage"><?php echo I18n::_('This website is using an insecure HTTP connection! Please use it only for testing.'); ?></div>
+<?php
+endif;
+?>
 		</header>
 		<section>
 			<article>
diff --git a/tst/ViewTest.php b/tst/ViewTest.php
index 4437344..cde7c1b 100644
--- a/tst/ViewTest.php
+++ b/tst/ViewTest.php
@@ -55,6 +55,7 @@ class ViewTest extends PHPUnit_Framework_TestCase
         $page->assign('EXPIREDEFAULT', self::$expire_default);
         $page->assign('URLSHORTENER', '');
         $page->assign('QRCODE', true);
+        $page->assign('HTTPWARNING', true);
 
         $dir = dir(PATH . 'tpl');
         while (false !== ($file = $dir->read())) {

From 1958a556510fe60a8af2fe24e9e12c16cd9beea5 Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Thu, 20 Jun 2019 21:38:29 +0200
Subject: [PATCH 05/18] adding new dev dependency to support the URL object

---
 js/common.js    | 1 +
 js/package.json | 1 +
 tst/README.md   | 2 +-
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/js/common.js b/js/common.js
index c8f9b6b..9f8a11f 100644
--- a/js/common.js
+++ b/js/common.js
@@ -5,6 +5,7 @@ global.assert = require('assert');
 global.jsc = require('jsverify');
 global.jsdom = require('jsdom-global');
 global.cleanup = global.jsdom();
+global.window.URL = require('jsdom-url');
 global.fs = require('fs');
 global.WebCrypto = require('node-webcrypto-ossl');
 
diff --git a/js/package.json b/js/package.json
index 7993fbc..3854339 100644
--- a/js/package.json
+++ b/js/package.json
@@ -10,6 +10,7 @@
   "devDependencies": {
     "jsdom": "^9.12.0",
     "jsdom-global": "^2.1.1",
+    "jsdom-url": "^2.2.1",
     "jsverify": "^0.8.3",
     "mime-types": "^2.1.20",
     "node-webcrypto-ossl": "^1.0.37"
diff --git a/tst/README.md b/tst/README.md
index d6db6bf..10af570 100644
--- a/tst/README.md
+++ b/tst/README.md
@@ -89,7 +89,7 @@ and jsdom-global locally:
 ```console
 $ npm install -g mocha nyc
 $ cd PrivateBin/js
-$ npm install jsverify jsdom@9 jsdom-global@2 mime-types node-webcrypto-ossl
+$ npm install jsverify jsdom@9 jsdom-global@2 mime-types node-webcrypto-ossl jsdom-url
 ```
 
 Example for Debian and Ubuntu, including steps to allow the current user to

From 50cc6995e0cf6ef46ab145a5b2ec88a6e7d5cecd Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Thu, 20 Jun 2019 22:30:49 +0200
Subject: [PATCH 06/18] making use of the URL object in the existing tests

---
 js/common.js      |  2 +-
 js/privatebin.js  | 30 ++++++++++--------------------
 js/test/Model.js  |  6 ++++--
 tpl/bootstrap.php |  2 +-
 tpl/page.php      |  2 +-
 5 files changed, 17 insertions(+), 25 deletions(-)

diff --git a/js/common.js b/js/common.js
index 9f8a11f..f593f0c 100644
--- a/js/common.js
+++ b/js/common.js
@@ -5,7 +5,7 @@ global.assert = require('assert');
 global.jsc = require('jsverify');
 global.jsdom = require('jsdom-global');
 global.cleanup = global.jsdom();
-global.window.URL = require('jsdom-url');
+global.URL = require('jsdom-url').URL;
 global.fs = require('fs');
 global.WebCrypto = require('node-webcrypto-ossl');
 
diff --git a/js/privatebin.js b/js/privatebin.js
index a43e1cb..45bd250 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -1196,30 +1196,20 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             }
 
             // do use URL interface, if possible
-            if (window.URL && window.URL.prototype && ('searchParams' in window.URL.prototype)) {
-                try {
-                    const url = new URL(window.location);
+            const url = new URL(window.location);
 
-                    for (const param of url.searchParams) {
-                        const key = param[0];
-                        const value = param[1];
+            for (const param of url.searchParams) {
+                const key = param[0];
+                const value = param[1];
 
-                        if (value === '' && idRegEx.test(key)) {
-                            // safe, as the whole regex is matched
-                            id = key;
-                            return id;
-                        }
-                    }
-                } catch (e) {
-                    // fallback below
-                    console.error('URL interface not properly supported, error:', e);
+                if (value === '' && idRegEx.test(key)) {
+                    // safe, as the whole regex is matched
+                    id = key;
+                    return key;
                 }
             }
 
-            // Attention: This also returns the delete token inside of the ID, if it is specified
-            id = (window.location.search.match(idRegExFind) || [''])[0];
-
-            if (id === '') {
+            if (id === null) {
                 throw 'no paste id given';
             }
 
@@ -4587,7 +4577,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
          */
         function isInsecureConnection()
         {
-            const url = new URL(document.URL);
+            const url = new URL(window.location);
 
             // HTTP is obviously insecure
             if (url.protocol !== 'http:') {
diff --git a/js/test/Model.js b/js/test/Model.js
index 57aa22e..cfcd6db 100644
--- a/js/test/Model.js
+++ b/js/test/Model.js
@@ -93,8 +93,9 @@ describe('Model', function () {
                     clean            = jsdom('', {
                         url: schema.join('') + '://' + address.join('') +
                              '/?' + queryString + '#' + fragment
-                    }),
-                    result = $.PrivateBin.Model.getPasteId();
+                    });
+                    global.URL = require('jsdom-url').URL;
+                    var result = $.PrivateBin.Model.getPasteId();
                 $.PrivateBin.Model.reset();
                 clean();
                 return pasteIdString === result;
@@ -111,6 +112,7 @@ describe('Model', function () {
                              '/#' + fragment
                     }),
                     result = false;
+                global.URL = require('jsdom-url').URL;
                 try {
                     $.PrivateBin.Model.getPasteId();
                 }
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index ab7da24..08c8739 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -72,7 +72,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.10.js" integrity="sha512-CqskSFXERL38A1PJP9BlO04me7kmwgDIhN1+k24RoFiisEwXA0BMdm0lzJC7g5jCRZ4k5OYdOJGEqW9CwDl4CA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-GrZx46UtJMOVLWWM6lYoTCnrdLM1EvNps1yUI12PvhcIYpe4WfOrIwmNVjngz2OZhkNj8xvidH9NCovCobpoNQ==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-sVyyVYPT9SWHwzqnG3KVpxDVDCQVE3Rb3xxe3aaXxMLPvsqzZSS/WnviVLzdT0K8hCeO2bqNLymW/5POz1u11w==" crossorigin="anonymous"></script>
 		<!--[if IE]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;}</style>
 		<![endif]-->
diff --git a/tpl/page.php b/tpl/page.php
index 9e54e22..8947d53 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -50,7 +50,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.10.js" integrity="sha512-CqskSFXERL38A1PJP9BlO04me7kmwgDIhN1+k24RoFiisEwXA0BMdm0lzJC7g5jCRZ4k5OYdOJGEqW9CwDl4CA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-GrZx46UtJMOVLWWM6lYoTCnrdLM1EvNps1yUI12PvhcIYpe4WfOrIwmNVjngz2OZhkNj8xvidH9NCovCobpoNQ==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-sVyyVYPT9SWHwzqnG3KVpxDVDCQVE3Rb3xxe3aaXxMLPvsqzZSS/WnviVLzdT0K8hCeO2bqNLymW/5POz1u11w==" crossorigin="anonymous"></script>
 		<!--[if IE]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;}</style>
 		<![endif]-->

From a1b1efeae29d846bdd741def59ef8e4b48259ca5 Mon Sep 17 00:00:00 2001
From: rugk <rugk+git@posteo.de>
Date: Fri, 21 Jun 2019 19:03:45 +0200
Subject: [PATCH 07/18] Adjust messages

---
 tpl/bootstrap.php | 3 ++-
 tpl/page.php      | 5 ++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index 08c8739..eec3807 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -470,7 +470,8 @@ if ($HTTPWARNING):
 ?>
 				<div id="httpnotice" role="alert" class="hidden alert alert-danger">
 					<span class="glyphicon glyphicon-alert" aria-hidden="true"></span>
-					<?php echo I18n::_('This website is using an insecure HTTP connection! Please use it only for testing.'), PHP_EOL; ?>
+					<?php echo I18n::_('This website is using an insecure connection! Please only use it for testing.'), PHP_EOL; ?><br />
+					<span class="small"><?php echo I18n::_('For more information <a href="https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-it-show-me-an-error-about-an-insecure-connection">see this FAQ entry</a>.'); ?></span>
 				</div>
 <?php
 endif;
diff --git a/tpl/page.php b/tpl/page.php
index 8947d53..870c68d 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -87,7 +87,10 @@ endif;
 <?php
 if ($HTTPWARNING):
 ?>
-			<div id="httpnotice" class="errorMessage"><?php echo I18n::_('This website is using an insecure HTTP connection! Please use it only for testing.'); ?></div>
+			<div id="httpnotice" class="errorMessage">
+				<?php echo I18n::_('This website is using an insecure connection! Please only use it for testing.'); ?>
+				<span class="small"><?php echo I18n::_('For more information <a href="https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-it-show-me-an-error-about-an-insecure-connection">see this FAQ entry</a>.'); ?></span>
+			</div>
 <?php
 endif;
 ?>

From e5974d46635b9db99c9ba1f14d34a0ab72605e6a Mon Sep 17 00:00:00 2001
From: rugk <rugk+git@posteo.de>
Date: Fri, 21 Jun 2019 19:48:16 +0200
Subject: [PATCH 08/18] Prefer isSecureContext if available

---
 js/privatebin.js  | 5 +++++
 tpl/bootstrap.php | 4 ++--
 tpl/page.php      | 2 +-
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/js/privatebin.js b/js/privatebin.js
index 45bd250..bf30a52 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -4577,6 +4577,11 @@ jQuery.PrivateBin = (function($, RawDeflate) {
          */
         function isInsecureConnection()
         {
+            // use .isSecureContext if available
+            if (window.isSecureContext === true || window.isSecureContext === false) {
+                return !window.isSecureContext;
+            }
+        
             const url = new URL(window.location);
 
             // HTTP is obviously insecure
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index eec3807..d14dccc 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -72,7 +72,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.10.js" integrity="sha512-CqskSFXERL38A1PJP9BlO04me7kmwgDIhN1+k24RoFiisEwXA0BMdm0lzJC7g5jCRZ4k5OYdOJGEqW9CwDl4CA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-sVyyVYPT9SWHwzqnG3KVpxDVDCQVE3Rb3xxe3aaXxMLPvsqzZSS/WnviVLzdT0K8hCeO2bqNLymW/5POz1u11w==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-lddjg/5Djy4VAY2IZk3kdLPchAnjHhoUHEemgxRwi351CjSS9GDu7QUpRT/pPPeB8Xh0owxCB9WvcV6hZ/999w==" crossorigin="anonymous"></script>
 		<!--[if IE]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;}</style>
 		<![endif]-->
@@ -91,7 +91,6 @@ if ($isCpct):
 endif;
 if ($isDark):
 ?> class="dark-theme"<?php
-endif;
 ?>>
 		<div id="passwordmodal" tabindex="-1" class="modal fade" role="dialog" aria-hidden="true">
 			<div class="modal-dialog" role="document">
@@ -109,6 +108,7 @@ endif;
 			</div>
 		</div>
 <?php
+endif;
 if ($QRCODE):
 ?>
 		<div id="qrcodemodal" tabindex="-1" class="modal fade" aria-labelledby="qrcodemodalTitle" role="dialog" aria-hidden="true">
diff --git a/tpl/page.php b/tpl/page.php
index 870c68d..827edf7 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -50,7 +50,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.10.js" integrity="sha512-CqskSFXERL38A1PJP9BlO04me7kmwgDIhN1+k24RoFiisEwXA0BMdm0lzJC7g5jCRZ4k5OYdOJGEqW9CwDl4CA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-sVyyVYPT9SWHwzqnG3KVpxDVDCQVE3Rb3xxe3aaXxMLPvsqzZSS/WnviVLzdT0K8hCeO2bqNLymW/5POz1u11w==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-lddjg/5Djy4VAY2IZk3kdLPchAnjHhoUHEemgxRwi351CjSS9GDu7QUpRT/pPPeB8Xh0owxCB9WvcV6hZ/999w==" crossorigin="anonymous"></script>
 		<!--[if IE]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;}</style>
 		<![endif]-->

From b7db033bddd39bb2235933a5a931ce27df3360e3 Mon Sep 17 00:00:00 2001
From: rugk <rugk+git@posteo.de>
Date: Fri, 21 Jun 2019 19:50:40 +0200
Subject: [PATCH 09/18] Adjust config text

---
 cfg/conf.sample.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/cfg/conf.sample.php b/cfg/conf.sample.php
index b195e2a..01dd32d 100644
--- a/cfg/conf.sample.php
+++ b/cfg/conf.sample.php
@@ -77,7 +77,10 @@ languageselection = false
 ; sha256 in HMAC for the deletion token
 zerobincompatibility = false
 
-; enable or disable the warning message when the site is served over HTTP instead of HTTPS, defaults to true
+; Enable or disable the warning message when the site is served over an insecure connection (insecure HTTP instead of HTTPS), defaults to true.
+; Secure transport methods like Tor and I2P domains are automatically whitelisted.
+; It is **strongly discouraged** to disable this.
+; See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-it-show-me-an-error-about-an-insecure-connection for more information.
 httpwarning = true
 
 [expire]

From 58fa7c987d023de81b76b4066bef0822bfc020e3 Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Sat, 22 Jun 2019 07:50:25 +0200
Subject: [PATCH 10/18] password modal is used in all flavors of the bootstrap
 theme

---
 tpl/bootstrap.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index d14dccc..51cb1ee 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -91,6 +91,7 @@ if ($isCpct):
 endif;
 if ($isDark):
 ?> class="dark-theme"<?php
+endif;
 ?>>
 		<div id="passwordmodal" tabindex="-1" class="modal fade" role="dialog" aria-hidden="true">
 			<div class="modal-dialog" role="document">
@@ -108,7 +109,6 @@ if ($isDark):
 			</div>
 		</div>
 <?php
-endif;
 if ($QRCODE):
 ?>
 		<div id="qrcodemodal" tabindex="-1" class="modal fade" aria-labelledby="qrcodemodalTitle" role="dialog" aria-hidden="true">

From 57bd65225d5856d5e958fdf249b267a6b1c7ec6c Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Sat, 22 Jun 2019 07:52:18 +0200
Subject: [PATCH 11/18] added new translation strings, moved URLs out of
 translations as they are static and it makes translation more compact

---
 i18n/de.json      |  8 +++++---
 i18n/es.json      |  8 +++++---
 i18n/fr.json      |  8 +++++---
 i18n/hu.json      |  8 +++++---
 i18n/it.json      |  8 +++++---
 i18n/nl.json      | 10 +++++++---
 i18n/no.json      |  8 +++++---
 i18n/oc.json      |  8 +++++---
 i18n/pl.json      |  8 +++++---
 i18n/pt.json      |  8 +++++---
 i18n/ru.json      |  8 +++++---
 i18n/sl.json      |  8 +++++---
 i18n/zh.json      |  8 +++++---
 tpl/bootstrap.php |  4 ++--
 tpl/page.php      |  2 +-
 15 files changed, 70 insertions(+), 42 deletions(-)

diff --git a/i18n/de.json b/i18n/de.json
index 213e4bd..b40ff9b 100644
--- a/i18n/de.json
+++ b/i18n/de.json
@@ -149,13 +149,15 @@
     "Loading…": "Lädt…",
     "Decrypting paste…": "Entschlüssle Text…",
     "Preparing new paste…": "Bereite neuen Text vor…",
-    "In case this message never disappears please have a look at <a href=\"https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away\">this FAQ for information to troubleshoot</a>.":
-        "Wenn diese Nachricht nicht mehr verschwindet, schau bitte in <a href=\"https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away\">die FAQ</a> (englisch), um zu sehen, wie der Fehler behoben werden kann.",
+    "In case this message never disappears please have a look at <a href=\"%s\">this FAQ for information to troubleshoot</a>.":
+        "Wenn diese Nachricht nicht mehr verschwindet, schau bitte in <a href=\"%s\">die FAQ</a> (englisch), um zu sehen, wie der Fehler behoben werden kann.",
     "+++ no paste text +++": "+++ kein Paste-Text +++",
     "Could not get paste data: %s":
         "Text konnte nicht geladen werden: %s",
     "QR code": "QR code",
     "I love you too, bot…": "I love you too, bot…",
     "This website is using an insecure HTTP connection! Please use it only for testing.":
-        "This website is using an insecure HTTP connection! Please use it only for testing."
+        "This website is using an insecure HTTP connection! Please use it only for testing.",
+    "For more information <a href=\"%s\">see this FAQ entry</a>.":
+        "For more information <a href=\"%s\">see this FAQ entry</a>."
 }
diff --git a/i18n/es.json b/i18n/es.json
index e4ff357..10cc7af 100644
--- a/i18n/es.json
+++ b/i18n/es.json
@@ -149,13 +149,15 @@
     "Loading…": "Cargando…",
     "Decrypting paste…": "Descifrando \"paste\"…",
     "Preparing new paste…": "Preparando \"paste\" nuevo…",
-    "In case this message never disappears please have a look at <a href=\"https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away\">this FAQ for information to troubleshoot</a>.":
-        "En caso de que este mensaje nunca desaparezca por favor revise <a href=\"https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away\">este FAQ para obtener información para solucionar problemas</a>.",
+    "In case this message never disappears please have a look at <a href=\"%s\">this FAQ for information to troubleshoot</a>.":
+        "En caso de que este mensaje nunca desaparezca por favor revise <a href=\"%s\">este FAQ para obtener información para solucionar problemas</a>.",
     "+++ no paste text +++": "+++ \"paste\" sin texto +++",
     "Could not get paste data: %s":
         "No se pudieron obtener los datos: %s",
     "QR code": "Código QR",
     "I love you too, bot…": "I love you too, bot…",
     "This website is using an insecure HTTP connection! Please use it only for testing.":
-        "This website is using an insecure HTTP connection! Please use it only for testing."
+        "This website is using an insecure HTTP connection! Please use it only for testing.",
+    "For more information <a href=\"%s\">see this FAQ entry</a>.":
+        "For more information <a href=\"%s\">see this FAQ entry</a>."
 }
diff --git a/i18n/fr.json b/i18n/fr.json
index 28916e7..d125b51 100644
--- a/i18n/fr.json
+++ b/i18n/fr.json
@@ -158,13 +158,15 @@
     "Loading…": "Chargement…",
     "Decrypting paste…": "Déchiffrement du paste…",
     "Preparing new paste…": "Préparation du paste…",
-    "In case this message never disappears please have a look at <a href=\"https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away\">this FAQ for information to troubleshoot</a>.":
-        "Si ce message ne disparaîssait pas, jetez un oeil à <a href=\"https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away\">cette FAQ pour des idées de résolution</a> (en Anglais).",
+    "In case this message never disappears please have a look at <a href=\"%s\">this FAQ for information to troubleshoot</a>.":
+        "Si ce message ne disparaîssait pas, jetez un oeil à <a href=\"%s\">cette FAQ pour des idées de résolution</a> (en Anglais).",
     "+++ no paste text +++": "+++ pas de paste-text +++",
     "Could not get paste data: %s":
         "Could not get paste data: %s",
     "QR code": "QR code",
     "I love you too, bot…": "I love you too, bot…",
     "This website is using an insecure HTTP connection! Please use it only for testing.":
-        "This website is using an insecure HTTP connection! Please use it only for testing."
+        "This website is using an insecure HTTP connection! Please use it only for testing.",
+    "For more information <a href=\"%s\">see this FAQ entry</a>.":
+        "For more information <a href=\"%s\">see this FAQ entry</a>."
 }
diff --git a/i18n/hu.json b/i18n/hu.json
index b421ec5..5016db6 100644
--- a/i18n/hu.json
+++ b/i18n/hu.json
@@ -149,13 +149,15 @@
     "Loading…": "Folyamatban...",
     "Decrypting paste…": "Bejegyzés dekódolása...",
     "Preparing new paste…": "Új bejegyzés előkészítése...",
-    "In case this message never disappears please have a look at <a href=\"https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away\">this FAQ for information to troubleshoot</a>.":
-        "Abban az esetben, ha ez az üzenet mindig látható lenne, látogass el a <a href=\"https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away\">Gyakran Ismételt Kérdések szekcióba a megoldásához</a>.",
+    "In case this message never disappears please have a look at <a href=\"%s\">this FAQ for information to troubleshoot</a>.":
+        "Abban az esetben, ha ez az üzenet mindig látható lenne, látogass el a <a href=\"%s\">Gyakran Ismételt Kérdések szekcióba a megoldásához</a>.",
     "+++ no paste text +++": "+++ nincs beillesztett szöveg +++",
     "Could not get paste data: %s":
         "Could not get paste data: %s",
     "QR code": "QR code",
     "I love you too, bot…": "I love you too, bot…",
     "This website is using an insecure HTTP connection! Please use it only for testing.":
-        "This website is using an insecure HTTP connection! Please use it only for testing."
+        "This website is using an insecure HTTP connection! Please use it only for testing.",
+    "For more information <a href=\"%s\">see this FAQ entry</a>.":
+        "For more information <a href=\"%s\">see this FAQ entry</a>."
 }
diff --git a/i18n/it.json b/i18n/it.json
index 19d64c5..2db8346 100644
--- a/i18n/it.json
+++ b/i18n/it.json
@@ -149,13 +149,15 @@
     "Loading…": "Carico…",
     "Decrypting paste…": "Decifro il messaggio…",
     "Preparing new paste…": "Preparo il nuovo messaggio…",
-    "In case this message never disappears please have a look at <a href=\"https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away\">this FAQ for information to troubleshoot</a>.":
-        "Nel caso questo messaggio non scompaia, controlla questa <a href=\"https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away\">FAQ</a> per trovare informazioni su come risolvere il problema (in Inglese).",
+    "In case this message never disappears please have a look at <a href=\"%s\">this FAQ for information to troubleshoot</a>.":
+        "Nel caso questo messaggio non scompaia, controlla questa <a href=\"%s\">FAQ</a> per trovare informazioni su come risolvere il problema (in Inglese).",
     "+++ no paste text +++": "+++ nessun testo nel messaggio +++",
     "Could not get paste data: %s":
         "Could not get paste data: %s",
     "QR code": "QR code",
     "I love you too, bot…": "I love you too, bot…",
     "This website is using an insecure HTTP connection! Please use it only for testing.":
-        "This website is using an insecure HTTP connection! Please use it only for testing."
+        "This website is using an insecure HTTP connection! Please use it only for testing.",
+    "For more information <a href=\"%s\">see this FAQ entry</a>.":
+        "For more information <a href=\"%s\">see this FAQ entry</a>."
 }
diff --git a/i18n/nl.json b/i18n/nl.json
index 6e7b224..35d540a 100644
--- a/i18n/nl.json
+++ b/i18n/nl.json
@@ -149,13 +149,17 @@
     "Loading…": "Laden…",
     "Decrypting paste…": "Geplakte tekst decoderen…",
     "Preparing new paste…": "Nieuwe geplakte tekst voorbereiden…",
-    "In case this message never disappears please have a look at <a href=\"https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away\">this FAQ for information to troubleshoot</a>.":
-        "In het geval dat dit bericht nooit verdwijnt, kijkt u dan eens naar <a href=\"https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away\"> veelgestelde vragen voor informatie over het oplossen van problemen </a>.",
+    "In case this message never disappears please have a look at <a href=\"%s\">this FAQ for information to troubleshoot</a>.":
+        "In het geval dat dit bericht nooit verdwijnt, kijkt u dan eens naar <a href=\"%s\"> veelgestelde vragen voor informatie over het oplossen van problemen </a>.",
     "+++ no paste text +++": "+++ geen geplakte tekst +++",
     "Could not get paste data: %s":
         "Could not get paste data: %s",
     "QR code": "QR code",
     "I love you too, bot…": "I love you too, bot…",
     "This website is using an insecure HTTP connection! Please use it only for testing.":
-        "This website is using an insecure HTTP connection! Please use it only for testing."
+        "This website is using an insecure HTTP connection! Please use it only for testing.",
+    "For more information <a href=\"%s\">see this FAQ entry</a>.":
+        "For more information <a href=\"%s\">see this FAQ entry</a>.",
+    "For more information <a href=\"%s\">see this FAQ entry</a>.":
+        "For more information <a href=\"%s\">see this FAQ entry</a>."
 }
diff --git a/i18n/no.json b/i18n/no.json
index 6b99aa5..1e19e4c 100644
--- a/i18n/no.json
+++ b/i18n/no.json
@@ -149,13 +149,15 @@
     "Loading…": "Laster…",
     "Decrypting paste…": "Dekrypterer innlegg…",
     "Preparing new paste…": "Klargjør nytt innlegg…",
-    "In case this message never disappears please have a look at <a href=\"https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away\">this FAQ for information to troubleshoot</a>.":
-        "Hvis denne meldingen ikke forsvinner kan du ta en titt på siden med <a href=\"https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away\">ofte stilte spørsmål</a> for informasjon om feilsøking.",
+    "In case this message never disappears please have a look at <a href=\"%s\">this FAQ for information to troubleshoot</a>.":
+        "Hvis denne meldingen ikke forsvinner kan du ta en titt på siden med <a href=\"%s\">ofte stilte spørsmål</a> for informasjon om feilsøking.",
     "+++ no paste text +++": "+++ ingen innleggstekst +++",
     "Could not get paste data: %s":
         "Kunne ikke hente utklippsdata: %s",
     "QR code": "QR code",
     "I love you too, bot…": "I love you too, bot…",
     "This website is using an insecure HTTP connection! Please use it only for testing.":
-        "This website is using an insecure HTTP connection! Please use it only for testing."
+        "This website is using an insecure HTTP connection! Please use it only for testing.",
+    "For more information <a href=\"%s\">see this FAQ entry</a>.":
+        "For more information <a href=\"%s\">see this FAQ entry</a>."
 }
diff --git a/i18n/oc.json b/i18n/oc.json
index 236e7ca..8b745af 100644
--- a/i18n/oc.json
+++ b/i18n/oc.json
@@ -158,13 +158,15 @@
     "Loading…": "Cargament…",
     "Decrypting paste…": "Deschirament del tèxte…",
     "Preparing new paste…": "Preparacion…",
-    "In case this message never disappears please have a look at <a href=\"https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away\">this FAQ for information to troubleshoot</a>.":
-        "Se per cas aqueste messatge quita pas de s’afichar mercés de gaitar <a href=\"https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away\">aquesta FAQ per las solucions</a> (en anglés).",
+    "In case this message never disappears please have a look at <a href=\"%s\">this FAQ for information to troubleshoot</a>.":
+        "Se per cas aqueste messatge quita pas de s’afichar mercés de gaitar <a href=\"%s\">aquesta FAQ per las solucions</a> (en anglés).",
     "+++ no paste text +++": "+++ cap de tèxte pegat +++",
     "Could not get paste data: %s":
         "Recuperacion impossibla de las donadas copiadas : %s",
     "QR code": "Còdi QR",
     "I love you too, bot…": "I love you too, bot…",
     "This website is using an insecure HTTP connection! Please use it only for testing.":
-        "This website is using an insecure HTTP connection! Please use it only for testing."
+        "This website is using an insecure HTTP connection! Please use it only for testing.",
+    "For more information <a href=\"%s\">see this FAQ entry</a>.":
+        "For more information <a href=\"%s\">see this FAQ entry</a>."
 }
diff --git a/i18n/pl.json b/i18n/pl.json
index 253882f..94f6d74 100644
--- a/i18n/pl.json
+++ b/i18n/pl.json
@@ -149,13 +149,15 @@
     "Loading…": "Wczytywanie…",
     "Decrypting paste…": "Odszyfrowywanie wklejki…",
     "Preparing new paste…": "Przygotowywanie nowej wklejki…",
-    "In case this message never disappears please have a look at <a href=\"https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away\">this FAQ for information to troubleshoot</a>.":
-        "W przypadku gdy ten komunikat nigdy nie znika, proszę spójrz na <a href=\"https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away\">to FAQ aby rozwiązać problem</a> (po angielsku).",
+    "In case this message never disappears please have a look at <a href=\"%s\">this FAQ for information to troubleshoot</a>.":
+        "W przypadku gdy ten komunikat nigdy nie znika, proszę spójrz na <a href=\"%s\">to FAQ aby rozwiązać problem</a> (po angielsku).",
     "+++ no paste text +++": "+++ brak wklejonego tekstu +++",
     "Could not get paste data: %s":
         "Nie można było pobrać danych wklejki: %s",
     "QR code": "Kod QR",
     "I love you too, bot…": "I love you too, bot…",
     "This website is using an insecure HTTP connection! Please use it only for testing.":
-        "This website is using an insecure HTTP connection! Please use it only for testing."
+        "This website is using an insecure HTTP connection! Please use it only for testing.",
+    "For more information <a href=\"%s\">see this FAQ entry</a>.":
+        "For more information <a href=\"%s\">see this FAQ entry</a>."
 }
diff --git a/i18n/pt.json b/i18n/pt.json
index 1888d2e..8db5fb8 100644
--- a/i18n/pt.json
+++ b/i18n/pt.json
@@ -149,13 +149,15 @@
     "Loading…": "Carregando…",
     "Decrypting paste…": "Decifrando cópia…",
     "Preparing new paste…": "Preparando nova cópia…",
-    "In case this message never disappears please have a look at <a href=\"https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away\">this FAQ for information to troubleshoot</a>.":
-        "Caso essa mensagem nunca desapareça, por favor veja <a href=\"https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away\">este FAQ para saber como resolver os problemas</a>.",
+    "In case this message never disappears please have a look at <a href=\"%s\">this FAQ for information to troubleshoot</a>.":
+        "Caso essa mensagem nunca desapareça, por favor veja <a href=\"%s\">este FAQ para saber como resolver os problemas</a>.",
     "+++ no paste text +++": "+++ sem texto de cópia +++",
     "Could not get paste data: %s":
         "Could not get paste data: %s",
     "QR code": "QR code",
     "I love you too, bot…": "I love you too, bot…",
     "This website is using an insecure HTTP connection! Please use it only for testing.":
-        "This website is using an insecure HTTP connection! Please use it only for testing."
+        "This website is using an insecure HTTP connection! Please use it only for testing.",
+    "For more information <a href=\"%s\">see this FAQ entry</a>.":
+        "For more information <a href=\"%s\">see this FAQ entry</a>."
 }
\ No newline at end of file
diff --git a/i18n/ru.json b/i18n/ru.json
index aa4c7bb..c2b9edf 100644
--- a/i18n/ru.json
+++ b/i18n/ru.json
@@ -159,13 +159,15 @@
     "Loading…": "Загрузка…",
     "Decrypting paste…": "Расшифровка записи…",
     "Preparing new paste…": "Подготовка новой записи…",
-    "In case this message never disappears please have a look at <a href=\"https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away\">this FAQ for information to troubleshoot</a>.":
-        "Если данное сообщение не исчезает длительное время, посмотрите <a href=\"https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away\">этот FAQ с информацией о возможном решении проблемы (на английском)</a>.",
+    "In case this message never disappears please have a look at <a href=\"%s\">this FAQ for information to troubleshoot</a>.":
+        "Если данное сообщение не исчезает длительное время, посмотрите <a href=\"%s\">этот FAQ с информацией о возможном решении проблемы (на английском)</a>.",
     "+++ no paste text +++": "+++ в записи нет текста +++",
     "Could not get paste data: %s":
         "Не удалось получить данные записи: %s",
     "QR code": "QR code",
     "I love you too, bot…": "I love you too, bot…",
     "This website is using an insecure HTTP connection! Please use it only for testing.":
-        "This website is using an insecure HTTP connection! Please use it only for testing."
+        "This website is using an insecure HTTP connection! Please use it only for testing.",
+    "For more information <a href=\"%s\">see this FAQ entry</a>.":
+        "For more information <a href=\"%s\">see this FAQ entry</a>."
 }
diff --git a/i18n/sl.json b/i18n/sl.json
index e1ef2b6..d34a9b9 100644
--- a/i18n/sl.json
+++ b/i18n/sl.json
@@ -158,13 +158,15 @@
     "Loading…": "Loading…",
     "Decrypting paste…": "Decrypting paste…",
     "Preparing new paste…": "Preparing new paste…",
-    "In case this message never disappears please have a look at <a href=\"https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away\">this FAQ for information to troubleshoot</a>.":
-        "In case this message never disappears please have a look at <a href=\"https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away\">this FAQ for information to troubleshoot</a> (in English).",
+    "In case this message never disappears please have a look at <a href=\"%s\">this FAQ for information to troubleshoot</a>.":
+        "In case this message never disappears please have a look at <a href=\"%s\">this FAQ for information to troubleshoot</a> (in English).",
     "+++ no paste text +++": "+++ no paste text +++",
     "Could not get paste data: %s":
         "Could not get paste data: %s",
     "QR code": "QR code",
     "I love you too, bot…": "I love you too, bot…",
     "This website is using an insecure HTTP connection! Please use it only for testing.":
-        "This website is using an insecure HTTP connection! Please use it only for testing."
+        "This website is using an insecure HTTP connection! Please use it only for testing.",
+    "For more information <a href=\"%s\">see this FAQ entry</a>.":
+        "For more information <a href=\"%s\">see this FAQ entry</a>."
 }
diff --git a/i18n/zh.json b/i18n/zh.json
index 6c6c771..8e01b2c 100644
--- a/i18n/zh.json
+++ b/i18n/zh.json
@@ -149,13 +149,15 @@
     "Loading…": "载入中…",
     "Decrypting paste…": "正在解密",
     "Preparing new paste…": "正在准备新的粘贴内容",
-    "In case this message never disappears please have a look at <a href=\"https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away\">this FAQ for information to troubleshoot</a>.":
-        "如果这个消息一直存在，请参考 <a href=\"https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away\">这里的 FAQ （英文版）</a>进行故障排除。",
+    "In case this message never disappears please have a look at <a href=\"%s\">this FAQ for information to troubleshoot</a>.":
+        "如果这个消息一直存在，请参考 <a href=\"%s\">这里的 FAQ （英文版）</a>进行故障排除。",
     "+++ no paste text +++": "+++ 没有粘贴内容 +++",
     "Could not get paste data: %s":
         "无法获取粘贴数据：%s",
     "QR code": "二维码",
     "I love you too, bot…": "I love you too, bot…",
     "This website is using an insecure HTTP connection! Please use it only for testing.":
-        "This website is using an insecure HTTP connection! Please use it only for testing."
+        "This website is using an insecure HTTP connection! Please use it only for testing.",
+    "For more information <a href=\"%s\">see this FAQ entry</a>.":
+        "For more information <a href=\"%s\">see this FAQ entry</a>."
 }
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index 51cb1ee..1a9a161 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -471,7 +471,7 @@ if ($HTTPWARNING):
 				<div id="httpnotice" role="alert" class="hidden alert alert-danger">
 					<span class="glyphicon glyphicon-alert" aria-hidden="true"></span>
 					<?php echo I18n::_('This website is using an insecure connection! Please only use it for testing.'), PHP_EOL; ?><br />
-					<span class="small"><?php echo I18n::_('For more information <a href="https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-it-show-me-an-error-about-an-insecure-connection">see this FAQ entry</a>.'); ?></span>
+					<span class="small"><?php echo I18n::_('For more information <a href="%s">see this FAQ entry</a>.', 'https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-it-show-me-an-error-about-an-insecure-connection'); ?></span>
 				</div>
 <?php
 endif;
@@ -516,7 +516,7 @@ endif;
 				<div id="noscript" role="alert" class="alert alert-info noscript-hide">
 					<span class="glyphicon glyphicon-exclamation-sign" aria-hidden="true"></span>
 					<?php echo I18n::_('Loading…'); ?><br />
-					<span class="small"><?php echo I18n::_('In case this message never disappears please have a look at <a href="https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away">this FAQ for information to troubleshoot</a>.'); ?></span>
+					<span class="small"><?php echo I18n::_('In case this message never disappears please have a look at <a href="%s">this FAQ for information to troubleshoot</a>.', 'https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-the-loading-message-go-away'); ?></span>
 				</div>
 			</section>
 			<footer class="container">
diff --git a/tpl/page.php b/tpl/page.php
index 827edf7..4d8b8ba 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -89,7 +89,7 @@ if ($HTTPWARNING):
 ?>
 			<div id="httpnotice" class="errorMessage">
 				<?php echo I18n::_('This website is using an insecure connection! Please only use it for testing.'); ?>
-				<span class="small"><?php echo I18n::_('For more information <a href="https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-it-show-me-an-error-about-an-insecure-connection">see this FAQ entry</a>.'); ?></span>
+				<span class="small"><?php echo I18n::_('For more information <a href="%s">see this FAQ entry</a>.', 'https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-it-show-me-an-error-about-an-insecure-connection'); ?></span>
 			</div>
 <?php
 endif;

From d0365faf769ddadd0f1322d54ad3da6323bd3ebf Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Sat, 22 Jun 2019 08:39:46 +0200
Subject: [PATCH 12/18] removing exceptions - in these cases server admins can
 opt to disable the warning message in the configuration

---
 js/privatebin.js  | 21 +--------------------
 tpl/bootstrap.php |  2 +-
 tpl/page.php      |  2 +-
 3 files changed, 3 insertions(+), 22 deletions(-)

diff --git a/js/privatebin.js b/js/privatebin.js
index bf30a52..64663d6 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -4581,31 +4581,12 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             if (window.isSecureContext === true || window.isSecureContext === false) {
                 return !window.isSecureContext;
             }
-        
-            const url = new URL(window.location);
 
+            const url = new URL(window.location);
             // HTTP is obviously insecure
             if (url.protocol !== 'http:') {
                 return false;
             }
-
-            // filter out actually secure connections over HTTP
-            if (
-                url.hostname.endsWith('.onion') ||
-                url.hostname.endsWith('.i2p')
-            ) {
-                return false;
-            }
-
-            // whitelist localhost for development
-            if (
-                url.hostname === 'localhost' ||
-                url.hostname === '127.0.0.1'
-            ) {
-                return false;
-            }
-
-            // totally INSECURE http protocol!
             return true;
         }
 
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index 1a9a161..ab39c7e 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -72,7 +72,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.10.js" integrity="sha512-CqskSFXERL38A1PJP9BlO04me7kmwgDIhN1+k24RoFiisEwXA0BMdm0lzJC7g5jCRZ4k5OYdOJGEqW9CwDl4CA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-lddjg/5Djy4VAY2IZk3kdLPchAnjHhoUHEemgxRwi351CjSS9GDu7QUpRT/pPPeB8Xh0owxCB9WvcV6hZ/999w==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-PuvR+R5FHPl2S8Gh6UdybTvipakps3ndEDAUAKoRhgmjmljHqAQLnvG13IkdCTIG2Xxn6peumQPvWhrOg1Xx3Q==" crossorigin="anonymous"></script>
 		<!--[if IE]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;}</style>
 		<![endif]-->
diff --git a/tpl/page.php b/tpl/page.php
index 4d8b8ba..436e013 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -50,7 +50,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.10.js" integrity="sha512-CqskSFXERL38A1PJP9BlO04me7kmwgDIhN1+k24RoFiisEwXA0BMdm0lzJC7g5jCRZ4k5OYdOJGEqW9CwDl4CA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-lddjg/5Djy4VAY2IZk3kdLPchAnjHhoUHEemgxRwi351CjSS9GDu7QUpRT/pPPeB8Xh0owxCB9WvcV6hZ/999w==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-PuvR+R5FHPl2S8Gh6UdybTvipakps3ndEDAUAKoRhgmjmljHqAQLnvG13IkdCTIG2Xxn6peumQPvWhrOg1Xx3Q==" crossorigin="anonymous"></script>
 		<!--[if IE]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;}</style>
 		<![endif]-->

From 59153633b884c1e1d9c1fbc1df54379da67240fd Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Sat, 22 Jun 2019 09:12:31 +0200
Subject: [PATCH 13/18] adding test for bot UAs

---
 js/test/InitialCheck.js | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 js/test/InitialCheck.js

diff --git a/js/test/InitialCheck.js b/js/test/InitialCheck.js
new file mode 100644
index 0000000..30aba1a
--- /dev/null
+++ b/js/test/InitialCheck.js
@@ -0,0 +1,31 @@
+'use strict';
+var common = require('../common');
+
+describe('InitialCheck', function () {
+    describe('init', function () {
+        this.timeout(30000);
+        before(function () {
+            cleanup();
+        });
+
+        jsc.property(
+            'returns false and shows error, if a bot UA is detected',
+            'string',
+            jsc.elements(['Bot', 'bot']),
+            'string',
+            function (
+                prefix, botBit, suffix
+            ) {
+                const clean = jsdom(
+                    '<html><body><div id="errormessage" class="hidden"></div></body></html>',
+                    {'userAgent': prefix + botBit + suffix}
+                );
+                var result1 = $.PrivateBin.InitialCheck.init(),
+                    result2 = !$('#errormessage').hasClass('hidden');
+                clean();
+                return result1 && result2;
+            }
+        );
+    });
+});
+

From 603f7fd911aafa9451d4b1aacd574e5dd12aaca7 Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Sat, 22 Jun 2019 15:44:54 +0200
Subject: [PATCH 14/18] adding tests for all cases

---
 i18n/de.json                 |   4 +-
 i18n/es.json                 |   4 +-
 i18n/fr.json                 |   4 +-
 i18n/hu.json                 |   4 +-
 i18n/it.json                 |   4 +-
 i18n/nl.json                 |   4 +-
 i18n/no.json                 |   4 +-
 i18n/oc.json                 |   4 +-
 i18n/pl.json                 |   4 +-
 i18n/pt.json                 |   6 +-
 i18n/ru.json                 |   4 +-
 i18n/sl.json                 |   4 +-
 i18n/zh.json                 |   4 +-
 js/privatebin.js             | 105 ++++++++++++++---------------------
 js/test/CryptTool.js         |   4 +-
 js/test/InitialCheck.js      |  78 ++++++++++++++++++++------
 js/test/ServerInteraction.js |   2 +-
 tpl/bootstrap.php            |   2 +-
 tpl/page.php                 |   2 +-
 19 files changed, 146 insertions(+), 101 deletions(-)

diff --git a/i18n/de.json b/i18n/de.json
index b40ff9b..de62e8f 100644
--- a/i18n/de.json
+++ b/i18n/de.json
@@ -159,5 +159,7 @@
     "This website is using an insecure HTTP connection! Please use it only for testing.":
         "This website is using an insecure HTTP connection! Please use it only for testing.",
     "For more information <a href=\"%s\">see this FAQ entry</a>.":
-        "For more information <a href=\"%s\">see this FAQ entry</a>."
+        "For more information <a href=\"%s\">see this FAQ entry</a>.",
+    "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
+        "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>."
 }
diff --git a/i18n/es.json b/i18n/es.json
index 10cc7af..6dd9e91 100644
--- a/i18n/es.json
+++ b/i18n/es.json
@@ -159,5 +159,7 @@
     "This website is using an insecure HTTP connection! Please use it only for testing.":
         "This website is using an insecure HTTP connection! Please use it only for testing.",
     "For more information <a href=\"%s\">see this FAQ entry</a>.":
-        "For more information <a href=\"%s\">see this FAQ entry</a>."
+        "For more information <a href=\"%s\">see this FAQ entry</a>.",
+    "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
+        "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>."
 }
diff --git a/i18n/fr.json b/i18n/fr.json
index d125b51..9b0a872 100644
--- a/i18n/fr.json
+++ b/i18n/fr.json
@@ -168,5 +168,7 @@
     "This website is using an insecure HTTP connection! Please use it only for testing.":
         "This website is using an insecure HTTP connection! Please use it only for testing.",
     "For more information <a href=\"%s\">see this FAQ entry</a>.":
-        "For more information <a href=\"%s\">see this FAQ entry</a>."
+        "For more information <a href=\"%s\">see this FAQ entry</a>.",
+    "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
+        "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>."
 }
diff --git a/i18n/hu.json b/i18n/hu.json
index 5016db6..da2dd52 100644
--- a/i18n/hu.json
+++ b/i18n/hu.json
@@ -159,5 +159,7 @@
     "This website is using an insecure HTTP connection! Please use it only for testing.":
         "This website is using an insecure HTTP connection! Please use it only for testing.",
     "For more information <a href=\"%s\">see this FAQ entry</a>.":
-        "For more information <a href=\"%s\">see this FAQ entry</a>."
+        "For more information <a href=\"%s\">see this FAQ entry</a>.",
+    "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
+        "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>."
 }
diff --git a/i18n/it.json b/i18n/it.json
index 2db8346..125812f 100644
--- a/i18n/it.json
+++ b/i18n/it.json
@@ -159,5 +159,7 @@
     "This website is using an insecure HTTP connection! Please use it only for testing.":
         "This website is using an insecure HTTP connection! Please use it only for testing.",
     "For more information <a href=\"%s\">see this FAQ entry</a>.":
-        "For more information <a href=\"%s\">see this FAQ entry</a>."
+        "For more information <a href=\"%s\">see this FAQ entry</a>.",
+    "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
+        "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>."
 }
diff --git a/i18n/nl.json b/i18n/nl.json
index 35d540a..4c93d78 100644
--- a/i18n/nl.json
+++ b/i18n/nl.json
@@ -160,6 +160,6 @@
         "This website is using an insecure HTTP connection! Please use it only for testing.",
     "For more information <a href=\"%s\">see this FAQ entry</a>.":
         "For more information <a href=\"%s\">see this FAQ entry</a>.",
-    "For more information <a href=\"%s\">see this FAQ entry</a>.":
-        "For more information <a href=\"%s\">see this FAQ entry</a>."
+    "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
+        "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>."
 }
diff --git a/i18n/no.json b/i18n/no.json
index 1e19e4c..108ce8d 100644
--- a/i18n/no.json
+++ b/i18n/no.json
@@ -159,5 +159,7 @@
     "This website is using an insecure HTTP connection! Please use it only for testing.":
         "This website is using an insecure HTTP connection! Please use it only for testing.",
     "For more information <a href=\"%s\">see this FAQ entry</a>.":
-        "For more information <a href=\"%s\">see this FAQ entry</a>."
+        "For more information <a href=\"%s\">see this FAQ entry</a>.",
+    "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
+        "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>."
 }
diff --git a/i18n/oc.json b/i18n/oc.json
index 8b745af..b9fac8f 100644
--- a/i18n/oc.json
+++ b/i18n/oc.json
@@ -168,5 +168,7 @@
     "This website is using an insecure HTTP connection! Please use it only for testing.":
         "This website is using an insecure HTTP connection! Please use it only for testing.",
     "For more information <a href=\"%s\">see this FAQ entry</a>.":
-        "For more information <a href=\"%s\">see this FAQ entry</a>."
+        "For more information <a href=\"%s\">see this FAQ entry</a>.",
+    "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
+        "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>."
 }
diff --git a/i18n/pl.json b/i18n/pl.json
index 94f6d74..f1ae43f 100644
--- a/i18n/pl.json
+++ b/i18n/pl.json
@@ -159,5 +159,7 @@
     "This website is using an insecure HTTP connection! Please use it only for testing.":
         "This website is using an insecure HTTP connection! Please use it only for testing.",
     "For more information <a href=\"%s\">see this FAQ entry</a>.":
-        "For more information <a href=\"%s\">see this FAQ entry</a>."
+        "For more information <a href=\"%s\">see this FAQ entry</a>.",
+    "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
+        "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>."
 }
diff --git a/i18n/pt.json b/i18n/pt.json
index 8db5fb8..f7b7e0b 100644
--- a/i18n/pt.json
+++ b/i18n/pt.json
@@ -159,5 +159,7 @@
     "This website is using an insecure HTTP connection! Please use it only for testing.":
         "This website is using an insecure HTTP connection! Please use it only for testing.",
     "For more information <a href=\"%s\">see this FAQ entry</a>.":
-        "For more information <a href=\"%s\">see this FAQ entry</a>."
-}
\ No newline at end of file
+        "For more information <a href=\"%s\">see this FAQ entry</a>.",
+    "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
+        "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>."
+}
diff --git a/i18n/ru.json b/i18n/ru.json
index c2b9edf..e084018 100644
--- a/i18n/ru.json
+++ b/i18n/ru.json
@@ -169,5 +169,7 @@
     "This website is using an insecure HTTP connection! Please use it only for testing.":
         "This website is using an insecure HTTP connection! Please use it only for testing.",
     "For more information <a href=\"%s\">see this FAQ entry</a>.":
-        "For more information <a href=\"%s\">see this FAQ entry</a>."
+        "For more information <a href=\"%s\">see this FAQ entry</a>.",
+    "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
+        "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>."
 }
diff --git a/i18n/sl.json b/i18n/sl.json
index d34a9b9..e88961d 100644
--- a/i18n/sl.json
+++ b/i18n/sl.json
@@ -168,5 +168,7 @@
     "This website is using an insecure HTTP connection! Please use it only for testing.":
         "This website is using an insecure HTTP connection! Please use it only for testing.",
     "For more information <a href=\"%s\">see this FAQ entry</a>.":
-        "For more information <a href=\"%s\">see this FAQ entry</a>."
+        "For more information <a href=\"%s\">see this FAQ entry</a>.",
+    "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
+        "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>."
 }
diff --git a/i18n/zh.json b/i18n/zh.json
index 8e01b2c..2e2c7de 100644
--- a/i18n/zh.json
+++ b/i18n/zh.json
@@ -159,5 +159,7 @@
     "This website is using an insecure HTTP connection! Please use it only for testing.":
         "This website is using an insecure HTTP connection! Please use it only for testing.",
     "For more information <a href=\"%s\">see this FAQ entry</a>.":
-        "For more information <a href=\"%s\">see this FAQ entry</a>."
+        "For more information <a href=\"%s\">see this FAQ entry</a>.",
+    "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
+        "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>."
 }
diff --git a/js/privatebin.js b/js/privatebin.js
index 64663d6..9bd336e 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -830,28 +830,13 @@ jQuery.PrivateBin = (function($, RawDeflate) {
          */
         function getRandomBytes(length)
         {
-            if (
-                typeof window !== 'undefined' &&
-                typeof Uint8Array !== 'undefined' &&
-                String.fromCodePoint &&
-                (
-                    typeof window.crypto !== 'undefined' ||
-                    typeof window.msCrypto !== 'undefined'
-                )
-            ) {
-                // modern browser environment
-                let bytes       = '';
-                const byteArray = new Uint8Array(length),
-                      crypto    = window.crypto || window.msCrypto;
-                crypto.getRandomValues(byteArray);
-                for (let i = 0; i < length; ++i) {
-                    bytes += String.fromCharCode(byteArray[i]);
-                }
-                return bytes;
-            } else {
-                // legacy browser or unsupported environment
-                throw 'No supported crypto API detected, you may read pastes and comments, but can\'t create pastes or add new comments.';
+            let bytes       = '';
+            const byteArray = new Uint8Array(length);
+            window.crypto.getRandomValues(byteArray);
+            for (let i = 0; i < length; ++i) {
+                bytes += String.fromCharCode(byteArray[i]);
             }
+            return bytes;
         }
 
         /**
@@ -4537,36 +4522,6 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             'bot'
         ];
 
-        /**
-         * blacklist of UserAgent versions known not to work with this application
-         *
-         * @private
-         * @enum   {Object}
-         * @readonly
-         */
-        const oldUA = [
-            {
-                'regex': /Chrome\/([0-9]+)/,
-                'minVersion': 57,
-            },
-            {
-                'regex': /Edge\/([0-9]+)/,
-                'minVersion': 16,
-            },
-            {
-                'regex': /Firefox\/([0-9]+)/,
-                'minVersion': 54,
-            },
-            {
-                'regex': /Opera\/.*Version\/([0-9]+)/,
-                'minVersion': 44,
-            },
-            {
-                'regex': /Version\/([0-9]+).*Safari/,
-                'minVersion': 11,
-            }
-        ];
-
         /**
          * check if the connection is insecure
          *
@@ -4602,7 +4557,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             // check whether a bot user agent part can be found in the current
             // user agent
             for (let i = 0; i < badBotUA.length; ++i) {
-                if (navigator.userAgent.indexOf(badBotUA) >= 0) {
+                if (navigator.userAgent.indexOf(badBotUA[i]) >= 0) {
                     return true;
                 }
             }
@@ -4610,7 +4565,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
         }
 
         /**
-         * checks whether this is an unsupported browser
+         * checks whether this is an unsupported browser, via feature detection
          *
          * @private
          * @name   InitialCheck.isOldBrowser
@@ -4618,13 +4573,34 @@ jQuery.PrivateBin = (function($, RawDeflate) {
          * @return {bool}
          */
         function isOldBrowser() {
-            for (let i = 0; i < oldUA.length; ++i) {
-                let result = oldUA[i]['regex'].exec(navigator.userAgent);
-                if (result && result[1] < oldUA[i]['minVersion']) {
-                    return true;
-                }
+            // webcrypto support
+            if (typeof window.crypto !== 'object') {
+                return false;
             }
-            return false;
+
+            if (typeof WebAssembly !== 'object' && typeof WebAssembly.instantiate !== 'function') {
+                return false;
+            }
+            try {
+                // [\0, 'a', 's', 'm', (uint_32) 1] - smallest valid wasm module
+                const module = new WebAssembly.Module(Uint8Array.of(0x0, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00));
+                if (
+                    !(
+                        module instanceof WebAssembly.Module &&
+                        new WebAssembly.Instance(module) instanceof WebAssembly.Instance
+                    )
+                ) {
+                    return false;
+                }
+            } catch (e) {
+                return false;
+            }
+
+             // not checking for async/await, ES6, Promise or Uint8Array support,
+             // as most browsers introduced these earlier then webassembly and webcrypto:
+             // https://github.com/PrivateBin/PrivateBin/pull/431#issuecomment-493129359
+
+            return true;
         }
 
         /**
@@ -4644,13 +4620,16 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             }
 
             if (isOldBrowser()) {
-                $('#oldnotice').toggle(true);
-                // execution will likely fail, but the user agent may be
-                // deliberately set to an incorrect value, so let it proceed
+                // some browsers (Chrome based ones) would have webcrypto support if using HTTPS
+                if (isInsecureConnection()) {
+                    Alert.showError(['Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href="%s">switching to HTTPS</a>.', 'https' + window.location.href.slice(4)]);
+                }
+                $('#oldnotice').removeClass('hidden');
+                return false;
             }
 
             if (isInsecureConnection()) {
-                $('#httpnotice').toggle(true);
+                $('#httpnotice').removeClass('hidden');
             }
 
             return true;
diff --git a/js/test/CryptTool.js b/js/test/CryptTool.js
index 08e54eb..80ea5ec 100644
--- a/js/test/CryptTool.js
+++ b/js/test/CryptTool.js
@@ -10,7 +10,7 @@ describe('CryptTool', function () {
 
         this.timeout(30000);
         it('can en- and decrypt any message', function () {
-            jsc.check(jsc.forall(
+            jsc.assert(jsc.forall(
                 'string',
                 'string',
                 'string',
@@ -193,7 +193,7 @@ describe('CryptTool', function () {
         });
 
         it('can en- and decrypt a particular message (#260)', function () {
-            jsc.check(jsc.forall(
+            jsc.assert(jsc.forall(
                 'string',
                 'string',
                 async function (key, password) {
diff --git a/js/test/InitialCheck.js b/js/test/InitialCheck.js
index 30aba1a..ce46f65 100644
--- a/js/test/InitialCheck.js
+++ b/js/test/InitialCheck.js
@@ -8,24 +8,66 @@ describe('InitialCheck', function () {
             cleanup();
         });
 
-        jsc.property(
-            'returns false and shows error, if a bot UA is detected',
-            'string',
-            jsc.elements(['Bot', 'bot']),
-            'string',
-            function (
-                prefix, botBit, suffix
-            ) {
-                const clean = jsdom(
-                    '<html><body><div id="errormessage" class="hidden"></div></body></html>',
-                    {'userAgent': prefix + botBit + suffix}
-                );
-                var result1 = $.PrivateBin.InitialCheck.init(),
-                    result2 = !$('#errormessage').hasClass('hidden');
-                clean();
-                return result1 && result2;
-            }
-        );
+        it('returns false and shows error, if a bot UA is detected', function () {
+            jsc.assert(jsc.forall(
+                'string',
+                jsc.elements(['Bot', 'bot']),
+                'string',
+                function (prefix, botBit, suffix) {
+                    const clean = jsdom('', {
+                        'userAgent': prefix + botBit + suffix
+                    });
+                    $('body').html(
+                        '<html><body><div id="errormessage" class="hidden"></div>' +
+                        '</body></html>'
+                    );
+                    $.PrivateBin.Alert.init();
+                    const result1 = !$.PrivateBin.InitialCheck.init(),
+                          result2 = !$('#errormessage').hasClass('hidden');
+                    clean();
+                    return result1 && result2;
+                }
+            ),
+            {tests: 1});
+        });
+
+        it('shows error, if no webcrypto is detected', function () {
+            [true, false].map(
+                function (secureProtocol) {
+                    const clean = jsdom('', {
+                        'url': (secureProtocol ? 'https' : 'http' ) + '://[::1]/'
+                    });
+                    $('body').html(
+                        '<html><body><div id="errormessage" class="hidden"></div>'+
+                        '<div id="oldnotice" class="hidden"></div></body></html>'
+                    );
+                    const crypto = window.crypto;
+                    window.crypto = null;
+                    $.PrivateBin.Alert.init();
+                    assert(!$.PrivateBin.InitialCheck.init());
+                    assert(secureProtocol === $('#errormessage').hasClass('hidden'));
+                    assert(!$('#oldnotice').hasClass('hidden'));
+                    window.crypto = crypto;
+                    clean();
+                }
+            );
+        });
+
+        it('shows error, if HTTP only site is detected', function () {
+            [true, false].map(
+                function (secureProtocol) {
+                    const clean = jsdom('', {
+                        'url': (secureProtocol ? 'https' : 'http' ) + '://[::1]/'
+                    });
+                    $('body').html(
+                        '<html><body><div id="httpnotice" class="hidden"></div></body></html>'
+                    );
+                    assert($.PrivateBin.InitialCheck.init());
+                    assert(secureProtocol === $('#httpnotice').hasClass('hidden'));
+                    clean();
+                }
+            );
+        });
     });
 });
 
diff --git a/js/test/ServerInteraction.js b/js/test/ServerInteraction.js
index 6437737..21aa18d 100644
--- a/js/test/ServerInteraction.js
+++ b/js/test/ServerInteraction.js
@@ -9,7 +9,7 @@ describe('ServerInteraction', function () {
         });
         this.timeout(30000);
         it('can prepare an encrypted paste', function () {
-            jsc.check(jsc.forall(
+            jsc.assert(jsc.forall(
                 'string',
                 'string',
                 'string',
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index ab39c7e..4871e2c 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -72,7 +72,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.10.js" integrity="sha512-CqskSFXERL38A1PJP9BlO04me7kmwgDIhN1+k24RoFiisEwXA0BMdm0lzJC7g5jCRZ4k5OYdOJGEqW9CwDl4CA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-PuvR+R5FHPl2S8Gh6UdybTvipakps3ndEDAUAKoRhgmjmljHqAQLnvG13IkdCTIG2Xxn6peumQPvWhrOg1Xx3Q==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-PCFDgDmb2Q5KUo65OaSSyFBtXMUBcpvr1ah2jVvgRWMo1UYiuRaShnkmhiq0gKDRlTi5w2Z9Ttb1hmOmljP0+A==" crossorigin="anonymous"></script>
 		<!--[if IE]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;}</style>
 		<![endif]-->
diff --git a/tpl/page.php b/tpl/page.php
index 436e013..8a32421 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -50,7 +50,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.10.js" integrity="sha512-CqskSFXERL38A1PJP9BlO04me7kmwgDIhN1+k24RoFiisEwXA0BMdm0lzJC7g5jCRZ4k5OYdOJGEqW9CwDl4CA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-PuvR+R5FHPl2S8Gh6UdybTvipakps3ndEDAUAKoRhgmjmljHqAQLnvG13IkdCTIG2Xxn6peumQPvWhrOg1Xx3Q==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-PCFDgDmb2Q5KUo65OaSSyFBtXMUBcpvr1ah2jVvgRWMo1UYiuRaShnkmhiq0gKDRlTi5w2Z9Ttb1hmOmljP0+A==" crossorigin="anonymous"></script>
 		<!--[if IE]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;}</style>
 		<![endif]-->

From d9f27fb0042eb191324e701535cd5a96c9c7b2fc Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Sun, 23 Jun 2019 09:39:21 +0200
Subject: [PATCH 15/18] avoid instability of tests due to Alert callback
 testing, which can prevent notifications from getting displayed

---
 js/privatebin.js  | 4 ++--
 js/test/Alert.js  | 1 +
 tpl/bootstrap.php | 2 +-
 tpl/page.php      | 2 +-
 4 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/js/privatebin.js b/js/privatebin.js
index 9bd336e..2d33062 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -4556,8 +4556,8 @@ jQuery.PrivateBin = (function($, RawDeflate) {
         function isBadBot() {
             // check whether a bot user agent part can be found in the current
             // user agent
-            for (let i = 0; i < badBotUA.length; ++i) {
-                if (navigator.userAgent.indexOf(badBotUA[i]) >= 0) {
+            for (const UAfragment of badBotUA) {
+                if (navigator.userAgent.indexOf(UAfragment) >= 0) {
                     return true;
                 }
             }
diff --git a/js/test/Alert.js b/js/test/Alert.js
index 617c488..8f79f7e 100644
--- a/js/test/Alert.js
+++ b/js/test/Alert.js
@@ -218,6 +218,7 @@ describe('Alert', function () {
                     return jsc.random(0, 1) ? true : $element;
                 });
                 functions[trigger](message);
+                $.PrivateBin.Alert.setCustomHandler(null);
                 return handlerCalled;
             }
         );
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index 4871e2c..b60a9ce 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -72,7 +72,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.10.js" integrity="sha512-CqskSFXERL38A1PJP9BlO04me7kmwgDIhN1+k24RoFiisEwXA0BMdm0lzJC7g5jCRZ4k5OYdOJGEqW9CwDl4CA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-PCFDgDmb2Q5KUo65OaSSyFBtXMUBcpvr1ah2jVvgRWMo1UYiuRaShnkmhiq0gKDRlTi5w2Z9Ttb1hmOmljP0+A==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-0Vv7H6Clyx/hCJ0CZGXO+aJr6UERFwpxHXhhqfYyQNTj0F7pZKAYFrKePW3xn/EZVAUvUXnVmVCRFuziKkcOYg==" crossorigin="anonymous"></script>
 		<!--[if IE]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;}</style>
 		<![endif]-->
diff --git a/tpl/page.php b/tpl/page.php
index 8a32421..32e662b 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -50,7 +50,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.10.js" integrity="sha512-CqskSFXERL38A1PJP9BlO04me7kmwgDIhN1+k24RoFiisEwXA0BMdm0lzJC7g5jCRZ4k5OYdOJGEqW9CwDl4CA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-PCFDgDmb2Q5KUo65OaSSyFBtXMUBcpvr1ah2jVvgRWMo1UYiuRaShnkmhiq0gKDRlTi5w2Z9Ttb1hmOmljP0+A==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-0Vv7H6Clyx/hCJ0CZGXO+aJr6UERFwpxHXhhqfYyQNTj0F7pZKAYFrKePW3xn/EZVAUvUXnVmVCRFuziKkcOYg==" crossorigin="anonymous"></script>
 		<!--[if IE]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;}</style>
 		<![endif]-->

From dc193f75554e7ef5ef1f8fb890e3e90434e78e6b Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Sun, 23 Jun 2019 09:54:48 +0200
Subject: [PATCH 16/18] Revert "removing exceptions - in these cases server
 admins can opt to disable the warning message in the configuration"

This reverts commit d0365faf769ddadd0f1322d54ad3da6323bd3ebf.
---
 js/privatebin.js  | 19 +++++++++++++++++++
 tpl/bootstrap.php |  2 +-
 tpl/page.php      |  2 +-
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/js/privatebin.js b/js/privatebin.js
index 2d33062..c2085f9 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -4538,10 +4538,29 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             }
 
             const url = new URL(window.location);
+
             // HTTP is obviously insecure
             if (url.protocol !== 'http:') {
                 return false;
             }
+
+            // filter out actually secure connections over HTTP
+            if (
+                url.hostname.endsWith('.onion') ||
+                url.hostname.endsWith('.i2p')
+            ) {
+                return false;
+            }
+
+            // whitelist localhost for development
+            if (
+                url.hostname === 'localhost' ||
+                url.hostname === '127.0.0.1'
+            ) {
+                return false;
+            }
+
+            // totally INSECURE http protocol!
             return true;
         }
 
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index b60a9ce..45b231e 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -72,7 +72,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.10.js" integrity="sha512-CqskSFXERL38A1PJP9BlO04me7kmwgDIhN1+k24RoFiisEwXA0BMdm0lzJC7g5jCRZ4k5OYdOJGEqW9CwDl4CA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-0Vv7H6Clyx/hCJ0CZGXO+aJr6UERFwpxHXhhqfYyQNTj0F7pZKAYFrKePW3xn/EZVAUvUXnVmVCRFuziKkcOYg==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-5gKAd6tYYmYAFpoLXkuB0nmvFrNpgK9E79RrlwEfde/aWrdAczlD6lL06IFg0E00vUajgMzxM3WlTw25M7lFLw==" crossorigin="anonymous"></script>
 		<!--[if IE]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;}</style>
 		<![endif]-->
diff --git a/tpl/page.php b/tpl/page.php
index 32e662b..aaddba1 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -50,7 +50,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.10.js" integrity="sha512-CqskSFXERL38A1PJP9BlO04me7kmwgDIhN1+k24RoFiisEwXA0BMdm0lzJC7g5jCRZ4k5OYdOJGEqW9CwDl4CA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-0Vv7H6Clyx/hCJ0CZGXO+aJr6UERFwpxHXhhqfYyQNTj0F7pZKAYFrKePW3xn/EZVAUvUXnVmVCRFuziKkcOYg==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-5gKAd6tYYmYAFpoLXkuB0nmvFrNpgK9E79RrlwEfde/aWrdAczlD6lL06IFg0E00vUajgMzxM3WlTw25M7lFLw==" crossorigin="anonymous"></script>
 		<!--[if IE]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;}</style>
 		<![endif]-->

From 61fde53de04193e19380b4a2a27723a748909c90 Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Sun, 23 Jun 2019 09:56:18 +0200
Subject: [PATCH 17/18] adding IPv6 localhost to exceptions

---
 js/privatebin.js  | 3 ++-
 tpl/bootstrap.php | 2 +-
 tpl/page.php      | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/js/privatebin.js b/js/privatebin.js
index c2085f9..8c9b609 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -4555,7 +4555,8 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             // whitelist localhost for development
             if (
                 url.hostname === 'localhost' ||
-                url.hostname === '127.0.0.1'
+                url.hostname === '127.0.0.1' ||
+                url.hostname === '[::1]'
             ) {
                 return false;
             }
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index 45b231e..3e090f5 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -72,7 +72,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.10.js" integrity="sha512-CqskSFXERL38A1PJP9BlO04me7kmwgDIhN1+k24RoFiisEwXA0BMdm0lzJC7g5jCRZ4k5OYdOJGEqW9CwDl4CA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-5gKAd6tYYmYAFpoLXkuB0nmvFrNpgK9E79RrlwEfde/aWrdAczlD6lL06IFg0E00vUajgMzxM3WlTw25M7lFLw==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-3ztSV/4pvPksAzHBo/tSKzDa6wLomQpV6gZgzHCwzS7DgRJ8ckw7oO1sxiNI/H3Imh4wGHFKNaqCkbYU7JTdRA==" crossorigin="anonymous"></script>
 		<!--[if IE]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;}</style>
 		<![endif]-->
diff --git a/tpl/page.php b/tpl/page.php
index aaddba1..8c9f1b0 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -50,7 +50,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.10.js" integrity="sha512-CqskSFXERL38A1PJP9BlO04me7kmwgDIhN1+k24RoFiisEwXA0BMdm0lzJC7g5jCRZ4k5OYdOJGEqW9CwDl4CA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-5gKAd6tYYmYAFpoLXkuB0nmvFrNpgK9E79RrlwEfde/aWrdAczlD6lL06IFg0E00vUajgMzxM3WlTw25M7lFLw==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-3ztSV/4pvPksAzHBo/tSKzDa6wLomQpV6gZgzHCwzS7DgRJ8ckw7oO1sxiNI/H3Imh4wGHFKNaqCkbYU7JTdRA==" crossorigin="anonymous"></script>
 		<!--[if IE]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;}</style>
 		<![endif]-->

From 40493dfb3aa9c97fddaa630e09373a72b206508e Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Sun, 23 Jun 2019 10:38:08 +0200
Subject: [PATCH 18/18] simplify logic, adding test cases for all combinations
 of URLs that are regarded as secure context

---
 js/privatebin.js        | 19 ++++-----
 js/test/InitialCheck.js | 90 ++++++++++++++++++++++++-----------------
 tpl/bootstrap.php       |  2 +-
 tpl/page.php            |  2 +-
 4 files changed, 63 insertions(+), 50 deletions(-)

diff --git a/js/privatebin.js b/js/privatebin.js
index 8c9b609..51ffbee 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -4545,20 +4545,17 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             }
 
             // filter out actually secure connections over HTTP
-            if (
-                url.hostname.endsWith('.onion') ||
-                url.hostname.endsWith('.i2p')
-            ) {
-                return false;
+            for (const tld of ['.onion', '.i2p']) {
+                if (url.hostname.endsWith(tld)) {
+                    return false;
+                }
             }
 
             // whitelist localhost for development
-            if (
-                url.hostname === 'localhost' ||
-                url.hostname === '127.0.0.1' ||
-                url.hostname === '[::1]'
-            ) {
-                return false;
+            for (const hostname of ['localhost', '127.0.0.1', '[::1]']) {
+                if (url.hostname === hostname) {
+                    return false;
+                }
             }
 
             // totally INSECURE http protocol!
diff --git a/js/test/InitialCheck.js b/js/test/InitialCheck.js
index ce46f65..7931a9e 100644
--- a/js/test/InitialCheck.js
+++ b/js/test/InitialCheck.js
@@ -28,46 +28,62 @@ describe('InitialCheck', function () {
                     return result1 && result2;
                 }
             ),
-            {tests: 1});
+            {tests: 10});
         });
 
-        it('shows error, if no webcrypto is detected', function () {
-            [true, false].map(
-                function (secureProtocol) {
-                    const clean = jsdom('', {
-                        'url': (secureProtocol ? 'https' : 'http' ) + '://[::1]/'
-                    });
-                    $('body').html(
-                        '<html><body><div id="errormessage" class="hidden"></div>'+
-                        '<div id="oldnotice" class="hidden"></div></body></html>'
-                    );
-                    const crypto = window.crypto;
-                    window.crypto = null;
-                    $.PrivateBin.Alert.init();
-                    assert(!$.PrivateBin.InitialCheck.init());
-                    assert(secureProtocol === $('#errormessage').hasClass('hidden'));
-                    assert(!$('#oldnotice').hasClass('hidden'));
-                    window.crypto = crypto;
-                    clean();
-                }
-            );
-        });
+        jsc.property(
+            'shows error, if no webcrypto is detected',
+            'bool',
+            jsc.elements(['localhost', '127.0.0.1', '[::1]', '']),
+            jsc.nearray(common.jscA2zString()),
+            jsc.elements(['.onion', '.i2p', '']),
+            function (secureProtocol, localhost, domain, tld) {
+                const isDomain = localhost === '',
+                      isSecureContext = secureProtocol || !isDomain || tld.length > 0,
+                      clean = jsdom('', {
+                          'url': (secureProtocol ? 'https' : 'http' ) + '://' +
+                                 (isDomain ? domain.join('') + tld : localhost) + '/'
+                      });
+                $('body').html(
+                    '<html><body><div id="errormessage" class="hidden"></div>'+
+                    '<div id="oldnotice" class="hidden"></div></body></html>'
+                );
+                const crypto = window.crypto;
+                window.crypto = null;
+                $.PrivateBin.Alert.init();
+                const result1 = !$.PrivateBin.InitialCheck.init(),
+                      result2 = isSecureContext === $('#errormessage').hasClass('hidden'),
+                      result3 = !$('#oldnotice').hasClass('hidden');
+                window.crypto = crypto;
+                clean();
+                return result1 && result2 && result3;
+            }
+        );
 
-        it('shows error, if HTTP only site is detected', function () {
-            [true, false].map(
-                function (secureProtocol) {
-                    const clean = jsdom('', {
-                        'url': (secureProtocol ? 'https' : 'http' ) + '://[::1]/'
-                    });
-                    $('body').html(
-                        '<html><body><div id="httpnotice" class="hidden"></div></body></html>'
-                    );
-                    assert($.PrivateBin.InitialCheck.init());
-                    assert(secureProtocol === $('#httpnotice').hasClass('hidden'));
-                    clean();
-                }
-            );
-        });
+        jsc.property(
+            'shows error, if HTTP only site is detected',
+            'bool',
+            jsc.elements(['localhost', '127.0.0.1', '[::1]', '']),
+            jsc.nearray(common.jscA2zString()),
+            jsc.elements(['.onion', '.i2p', '']),
+            function (secureProtocol, localhost, domain, tld) {
+                const isDomain = localhost === '',
+                      isSecureContext = secureProtocol || !isDomain || tld.length > 0,
+                      clean = jsdom('', {
+                          'url': (secureProtocol ? 'https' : 'http' ) + '://' +
+                               (isDomain ? domain.join('') + tld : localhost) + '/'
+                      });
+                $('body').html(
+                    '<html><body><div id="httpnotice" class="hidden"></div>'+
+                    '</body></html>'
+                );
+                $.PrivateBin.Alert.init();
+                const result1 = $.PrivateBin.InitialCheck.init(),
+                      result2 = isSecureContext === $('#httpnotice').hasClass('hidden');
+                clean();
+                return result1 && result2;
+            }
+        );
     });
 });
 
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index 3e090f5..c428ceb 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -72,7 +72,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.10.js" integrity="sha512-CqskSFXERL38A1PJP9BlO04me7kmwgDIhN1+k24RoFiisEwXA0BMdm0lzJC7g5jCRZ4k5OYdOJGEqW9CwDl4CA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-3ztSV/4pvPksAzHBo/tSKzDa6wLomQpV6gZgzHCwzS7DgRJ8ckw7oO1sxiNI/H3Imh4wGHFKNaqCkbYU7JTdRA==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-V0v5OOCcrMFtPsP9xWbKjoaRBobWrMdKdiDPn1tK8Kq8uzbEOK8tY0JXCbEqVpPyJ3/hVrtfjdXhgGaxeMUj3g==" crossorigin="anonymous"></script>
 		<!--[if IE]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;}</style>
 		<![endif]-->
diff --git a/tpl/page.php b/tpl/page.php
index 8c9f1b0..e535f6f 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -50,7 +50,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.10.js" integrity="sha512-CqskSFXERL38A1PJP9BlO04me7kmwgDIhN1+k24RoFiisEwXA0BMdm0lzJC7g5jCRZ4k5OYdOJGEqW9CwDl4CA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-3ztSV/4pvPksAzHBo/tSKzDa6wLomQpV6gZgzHCwzS7DgRJ8ckw7oO1sxiNI/H3Imh4wGHFKNaqCkbYU7JTdRA==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-V0v5OOCcrMFtPsP9xWbKjoaRBobWrMdKdiDPn1tK8Kq8uzbEOK8tY0JXCbEqVpPyJ3/hVrtfjdXhgGaxeMUj3g==" crossorigin="anonymous"></script>
 		<!--[if IE]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;}</style>
 		<![endif]-->