This one does not require that you have JavaScripts enabled, but will work automatically if you do have JavaScripts enabled. It also provides a program written in C that you may use in case you have C and OpenSSL (and you are willing to trust the C program) but do not have a web browser compatible with the included JavaScript program (which uses the JavaScript integer type and the SubtleCrypto API). I think these are good ideas; too many such things will not work at all without JavaScripts, while this one will work either way, so it is better.
However, there are some potential problems with this, such as:
- The text should probably explain that the cookie resulting from the form submission is required (in case someone has a browser that is set to discard cookies early in some circumstances (e.g. after following an external link), and does not know what is wrong).
- The cookie is only valid for one week, and does not seem to check for the previous value as well as the current value.
- Sometimes you might want to download a non-HTML file using curl, and it does not seem to consider that.
- The documentation mentions some other problems with it, in the "Bugs" section.
Also, when trying to access one of the files without HTTPS: "Please tell your browser to use HTTPS and don’t rely on HTTP-to-HTTPS redirects." This makes sense if you are trying to use HTTPS; I agree that you should not rely on HTTP-to-HTTPS redirects (which are not helpful anyways, but they are very common even though I think it is a bad idea). However, this assumes that you are trying to use HTTPS; maybe that is not your intention.
The main reason for the non-JS solution is because a lot of people in communities around me, me included, generally block JS in their browsers, and I thought it'd be cool to have a non-JS PoW solution.
To be honest I would prefer if this could be computed with a simple shell script, but calling sha256sum in a loop is ridiculously slow. I might consider other methods of doing proof of work in the future (IIRC it's possible with argon2).
I agree. I also usually disable JavaScripts in the browser, and I think it is a good idea what you did with this. (Some users also may be using a browser without JavaScripts, so it is helpful with that too.)
I also agree that a simple shell script would probably be better, although nevertheless it is explained and someone could implement their own if they want to do, so it is good enough for now.
However, there are some potential problems with this, such as:
- The text should probably explain that the cookie resulting from the form submission is required (in case someone has a browser that is set to discard cookies early in some circumstances (e.g. after following an external link), and does not know what is wrong).
- The cookie is only valid for one week, and does not seem to check for the previous value as well as the current value.
- Sometimes you might want to download a non-HTML file using curl, and it does not seem to consider that.
- The documentation mentions some other problems with it, in the "Bugs" section.
Also, when trying to access one of the files without HTTPS: "Please tell your browser to use HTTPS and don’t rely on HTTP-to-HTTPS redirects." This makes sense if you are trying to use HTTPS; I agree that you should not rely on HTTP-to-HTTPS redirects (which are not helpful anyways, but they are very common even though I think it is a bad idea). However, this assumes that you are trying to use HTTPS; maybe that is not your intention.