diff --git a/README.md b/README.md
index 589798b8..74f8541f 100644
--- a/README.md
+++ b/README.md
@@ -17,7 +17,7 @@
| | | |
| ----------- | ----------- | ----------- |
| [Install](#install-and-run-on-linux) | [Features](#main-features) | [Screenshots](#screenshots)|
-| [Docs](#documentation)/[web copy](https://beardog108.github.io/onionr/) | [Get involved](#help-out) | [Onionr.net](https://onionr.net/)/[.onion](http://onionr.onionkvc5ibm37bmxwr56bdxcdnb6w3wm4bdghh5qo6f6za7gn7styid.onion/) |
+| [Docs](#documentation)/[web copy](https://beardog108.github.io/onionr/) | [Get involved](#help-out) | [Onionr.net](https://onionr.net/)/[.onion](http://onionrbak72t5zhbzuey2fdkpczlvhowgcpqc6uoyrd3uxztzxwz5cyd.onion/) |
diff --git a/docs/usage/pages.md b/docs/usage/pages.md
new file mode 100644
index 00000000..16b44e0a
--- /dev/null
+++ b/docs/usage/pages.md
@@ -0,0 +1,59 @@
+Onionr sites come in two forms:
+
+* Single-page sites, identified by the hash of a single page contained within a single Onionr block.
+
+* Multi-page sites, identified by a user ID. Contains directory archives of a full site.
+
+
+# Metadata Awareness
+
+Before creating an Onionr site, one should be cautious of the metadata one could be leaking. For example, some HTML generators may insert author meta tags. Onionr does not filter out any web page data.
+
+# No JavaScript, no third-party resources
+
+Currently, in order to protect Onionr users, JavaScript is disabled within Onionr sites. JS will remain present in the HTML file, but be non functional. Additionally, third party resources outside of Onionr cannot be loaded.
+
+
+# Creating multi page sites
+
+Multi page sites are the most useful, as they can contain an arbitrary amount of static files.
+
+To create a single page site, create a directory for your site and write standard HTML file(s) within them. CSS, images and other files can be placed in the directory as well. The home page should be name index.html and in the parent level directory.
+
+Then, create a strong passphrase for the site. If the site will be updated, be sure to write it down or remember it. A strong passphrase can be generated by running:
+
+`$ scripts/passphrase-generator.py`
+
+Sample output: lovesick blubberer haemoglobin... and so on.
+
+## Generating or updating the site:
+
+`$ ./onionr.sh addsite`
+
+All files in the current working directory will be added to the site.
+
+The command will prompt for a passphrase.
+
+After the site is generated, a user ID that identifies the site will be outputted.
+
+# Creating single page sites
+
+Single page sites are incredibly straight forward.
+
+Single page sites cannot be modified or updated, but are somewhat more secure due to having lower complexity.
+
+To create a single page site, write a standard HTML file. Inline or data-uri CSS can be included, as well as data-uri images. Data-URI generators can be found online.
+
+After creating the HTML file, run this command:
+
+`$ ./onionr.sh addhtml filename.html`
+
+![single page screenshot](single-page.png)
+
+# Viewing sites
+
+To view a site, open the Onionr web interface and paste the site hash or ID into the site opener box that looks like this:
+
+![site opener box screenshot](site-opener.png)
+
+Then, press open.
diff --git a/docs/usage/single-page.png b/docs/usage/single-page.png
new file mode 100644
index 00000000..5aac0ac8
Binary files /dev/null and b/docs/usage/single-page.png differ
diff --git a/docs/usage/site-opener.png b/docs/usage/site-opener.png
new file mode 100644
index 00000000..23fec840
Binary files /dev/null and b/docs/usage/site-opener.png differ
diff --git a/scripts/README.md b/scripts/README.md
new file mode 100644
index 00000000..acdc9cb4
--- /dev/null
+++ b/scripts/README.md
@@ -0,0 +1,3 @@
+This directory contains useful scripts and utilities that don't make sense to include as official Onionr features.
+
+passphrase-generator.py: very simple utility to generate and print a strong passphrase to stdout. 256 bits of entropy by default.
\ No newline at end of file
diff --git a/scripts/passphrase-generator.py b/scripts/passphrase-generator.py
new file mode 100755
index 00000000..d0d98dad
--- /dev/null
+++ b/scripts/passphrase-generator.py
@@ -0,0 +1,21 @@
+#!/usr/bin/env python3
+
+"""Generate a 16 word passphase with 256 bits of entropy.
+
+Specify true to reduce to 128 bits"""
+
+
+import sys
+
+import niceware
+
+byte_count = 32 # 256 bits of entropy with niceware
+
+arg = False
+try:
+ arg = sys.argv[1].lower()
+ if arg == 'true':
+ byte_count = 16
+except IndexError: pass
+
+print(' '.join(niceware.generate_passphrase(byte_count)))
diff --git a/src/bigbrother/ministry/ofexec.py b/src/bigbrother/ministry/ofexec.py
index a9cbcccd..51b1b857 100644
--- a/src/bigbrother/ministry/ofexec.py
+++ b/src/bigbrother/ministry/ofexec.py
@@ -45,9 +45,11 @@ def block_exec(event, info):
"""Prevent arbitrary code execution in eval/exec and log it."""
# because libraries have stupid amounts of compile/exec/eval,
# We have to use a whitelist where it can be tolerated
+ # Generally better than nothing, not a silver bullet
whitelisted_code = [
'netrc.py',
'shlex.py',
+ 'gzip.py',
'',
'werkzeug/test.py',
'multiprocessing/popen_fork.py',
diff --git a/src/httpapi/security/client.py b/src/httpapi/security/client.py
index 86609d70..fbb6b288 100644
--- a/src/httpapi/security/client.py
+++ b/src/httpapi/security/client.py
@@ -51,13 +51,13 @@ class ClientAPISecurity:
return
if request.path.startswith('/site/'): return
- # try:
- # if not hmac.compare_digest(request.headers['token'], client_api.clientToken):
- # if not hmac.compare_digest(request.form['token'], client_api.clientToken):
- # abort(403)
- # except KeyError:
- # if not hmac.compare_digest(request.form['token'], client_api.clientToken):
- # abort(403)
+ try:
+ if not hmac.compare_digest(request.headers['token'], client_api.clientToken):
+ if not hmac.compare_digest(request.form['token'], client_api.clientToken):
+ abort(403)
+ except KeyError:
+ if not hmac.compare_digest(request.form['token'], client_api.clientToken):
+ abort(403)
@client_api_security_bp.after_app_request
def after_req(resp):
diff --git a/src/onionrcommands/sitecreator.py b/src/onionrcommands/sitecreator.py
index b743aaae..b0d14ed0 100644
--- a/src/onionrcommands/sitecreator.py
+++ b/src/onionrcommands/sitecreator.py
@@ -40,7 +40,7 @@ If you want to update your site later you must remember the passphrase.''',
passphrase = getpass.getpass(
'Please enter a site passphrase of at least ' +
- onionrvalues.PASSWORD_LENGTH + ' characters.')
+ str(onionrvalues.PASSWORD_LENGTH) + ' characters.')
confirm = getpass.getpass('Confirm passphrase:')
if passphrase != confirm:
diff --git a/static-data/www/shared/main/torstats.js b/static-data/www/shared/main/torstats.js
index 91f00162..af51f840 100644
--- a/static-data/www/shared/main/torstats.js
+++ b/static-data/www/shared/main/torstats.js
@@ -1,4 +1,8 @@
-var torSource = new EventSourcePolyfill("/torcircuits")
+var torSource = new EventSourcePolyfill('/torcircuits', {
+ headers: {
+ "token": webpass
+ }
+ })
var displays = document.getElementsByClassName('torInfo')
for (x = 0; x < displays.length; x++){