You can now grab the new Haketilo from the Releases page.
- source tarball
- .xpi build for Mozilla-based browsers (unsigned)
- .zip build for Chromium-based browsers
- Signify signatures
- PGP signatures
You might want to take a look at the list of most important changes:
- Haketilo now accepts Hydrilla API responses with JSON schema version specified as 2.x. Some of the features (permissions, see below) are not fully supported, though.
- Haketilo no longer blocks the use of
eval()in injected scripts. This currently affects all payloads, regardless of the permissions set.
- Injected scripts can now make HTTP requests that bypass CORS rules. This also currently affects all payloads, regardless of the permissions set.
https://hydrilla.koszko.org/api_v2/is now used as the default scripts repository address. Haketilo will update from the old address automatically.
The future of Haketilo¶
A careful evaluation of the Mozilla Add-on Policies showed that a signed version of Haketilo for Mozilla browsers can no longer be delivered. The main reason is the following rule:
Add-ons must not relax web page security headers, such as the Content Security Policy.
To be able to modify sites in the desired way Haketilo has to replace
Content-Security-Policy HTTP headers with its own. There currently exists no alternative solution which would not limit the extension in an unacceptable way.
In addition, several other policies as well as the limited WebExtension APIs have been posing serious obstacles. Due to these problems, a decision has been made to instead develop Haketilo as an HTTP proxy.
2.0 will be the last feature release of Haketilo as a browser extension.
Haketilo v3.0 is going to be a tool incorporating the popular mitmproxy and also sharing some of the code with Hydrilla. This will hopefully also allow more web browsers to be used with it regardless of their WebExtension support.