Project

General

Profile

Activity

From 06/18/2021 to 07/17/2021

07/17/2021

09:58 PM Bug #54: Remote-storage port(s) are disconnected while still in use
That's possible. I've been fighting these ports also when making the popup page.
Any additional details as to how ...
koszko
09:12 AM Bug #54 (Closed): Remote-storage port(s) are disconnected while still in use
Potentially there are other issues with storage, and the situation may not even be limited to Gecko; however, these a... jahoti
02:50 PM Feature #25: stop always using the same script nonce on given https(s) site
> * The base URL isn't sent in the settings; instead, if the unique value doesn't match then the listener assumes it ... koszko
12:52 PM Feature #25: stop always using the same script nonce on given https(s) site
> I was arguing for drawing a salt and deriving the nonce from salt, URL, time and secret.
That makes sense!
> ...
jahoti
11:23 AM Feature #25: stop always using the same script nonce on given https(s) site
> Just to check, are you arguing for drawing one random value or a salt and, separately, a nonce?
I was arguing fo...
koszko
09:42 AM Feature #25: stop always using the same script nonce on given https(s) site
>> That would be OK- the nonce can be (and is) generated randomly for each request[...]
> And we need either salt or...
jahoti
08:33 AM Feature #25: stop always using the same script nonce on given https(s) site
jahoti wrote:
> >> In the current PoC that would still let them whitelist the page entirely
> > Right, I missed tha...
koszko
09:09 AM Bug #53 (Closed): Interference with existing CSP headers
Current handling of pre-existing CSP headers needs to be refined:
* Pre-existing http-equiv embeds and actual header...
jahoti
09:02 AM Bug #52 (Closed): Headers not updated on cached requests
Thanks for the API suggestions! It turns out the issue was indeed the same as you worked around earlier, and a minor ... jahoti
02:00 AM Revision 8b823e1a (haketilo): Revamp signatures and break header caching on FF
Signatures, instead of consisting of the secure salt followed by the unique
value generated from the URL, are now the...
jahoti

07/16/2021

12:25 AM Feature #25: stop always using the same script nonce on given https(s) site
>> In the current PoC that would still let them whitelist the page entirely
> Right, I missed that. How about when s...
jahoti
12:05 PM Feature #25: stop always using the same script nonce on given https(s) site
> >> Firstly, is there any point in drawing a random salt? It doesn't prevent a replay attack by itself
> > Not if s...
koszko
11:32 AM Feature #25: stop always using the same script nonce on given https(s) site
>> Firstly, is there any point in drawing a random salt? It doesn't prevent a replay attack by itself
> Not if someo...
jahoti
10:06 AM Feature #25: stop always using the same script nonce on given https(s) site
> Firstly, is there any point in drawing a random salt? It doesn't prevent a replay attack by itself
Not if someon...
koszko
09:03 AM Feature #25: stop always using the same script nonce on given https(s) site
> It does actually show up, at least under Chromium, but only for a moment. Or rather it used to show up, before I co... jahoti
09:33 AM Bug #52: Headers not updated on cached requests
There seem to be some APIs for that. The one that reloads a tab while bypassing cache seems to be the most promising:... koszko
09:06 AM Bug #52 (Closed): Headers not updated on cached requests
When a page is loaded from the cache (e.g. after reloading), we don't (can't?) modify the headers. That means, for in... jahoti
02:00 AM Revision 692577bb (haketilo): Use URL-based policy smuggling
Increase the power of URL-based smuggling by making it (effectively)
compulsory in all cases and adapting a <salt><un...
jahoti

07/14/2021

12:16 PM Feature #25: stop always using the same script nonce on given https(s) site
> Unless you get to it first, I'll try implementing it in the next 24 hours.
Go on. I am doing repo stuff right no...
koszko
11:27 AM Feature #25: stop always using the same script nonce on given https(s) site
I agree with doing it as a PoC with JSON-encoded settings; that was the idea I meant to communicate, even if (looking... jahoti
09:40 AM Feature #25: stop always using the same script nonce on given https(s) site
> While the details should still be discussed before declaring it finalized
It's still possible to make a proof-of...
koszko
07:28 AM Feature #25: stop always using the same script nonce on given https(s) site
> In general, after `#' we can have the unique value used to authenticate the injected string, followed by settings s... jahoti
11:57 AM Feature #36: prepare application for NLnet fund
Slightly adjusted to reflect the fact that there is now a stakeholders (ugh) section, a brief section on technical ch... jahoti
11:47 AM Feature #43 (Rejected): Replace common/sha256.js with crypto.subtle
As per message#49 this is dependent on dropping the use of unfixed verifiers ("unique values"), which is properly a s... jahoti

07/13/2021

12:22 PM Feature #25: stop always using the same script nonce on given https(s) site
> only question is how to fit it alongside the smuggled whitelisting code; do you have a possible scheme?
The whi...
koszko
11:46 AM Feature #25: stop always using the same script nonce on given https(s) site
> However, one more thing came to my mind. When rewriting headers, we could also smuggle the random nonce (or better ... jahoti
11:38 AM Feature #25: stop always using the same script nonce on given https(s) site
> > Also, have you thought about deriving HTTP(s) nonce from url, tab id and frame id? This way we would not need to ... koszko

07/12/2021

12:01 AM Feature #25: stop always using the same script nonce on given https(s) site
> I think we should also add some way to forget the nonces that are not going to be used anymore (for example because... jahoti
02:35 PM Feature #25 (In Progress): stop always using the same script nonce on given https(s) site
Merged into master. Honestly, I am neutral towards that unrelated patch.
I think we should also add some way to fo...
koszko
07:13 AM Feature #25 (Feedback): stop always using the same script nonce on given https(s) site
jahoti
07:08 AM Feature #25: stop always using the same script nonce on given https(s) site
Patch awaiting acceptance/rejection: testing on Chromium is *critical*, as there is a potential (albeit improbable) r... jahoti
02:22 PM Revision 1789f174 (haketilo): merge jahoti into master
koszko
07:14 AM Feature #44 (Resolved): Load in default settings using the build system
jahoti
07:10 AM Feature #44 (Feedback): Load in default settings using the build system
jahoti
07:10 AM Feature #44 (In Progress): Load in default settings using the build system
jahoti
07:09 AM Feature #44 (Feedback): Load in default settings using the build system
jahoti
02:00 AM Revision dcfc78b0 (haketilo): Stop using the nonce consistently for a URL
Nonces are now randomly generated, either in the page (for non-HTTP(S) pages)
or by a background module which stores ...
jahoti

07/11/2021

02:00 AM Revision 0e002513 (haketilo): Remove redundant nonce-based filtering in the script suppressor
jahoti
02:00 AM Revision 229e86f6 (haketilo): Integrate browser.js into exports_init.js, and streamline the result
jahoti

07/10/2021

01:43 AM Feature #51 (New): [Roadmap 10][Milestone] Support internationalization
The WebExtensions standard includes a system for supporting translation of the extension UI: <https://developer.mozil... jahoti

07/09/2021

05:16 PM Feature #40 (Closed): Move documentation to wiki
jahoti wrote:
> The only issue is a few references to the build system, which treat it as hypothetical;
I think t...
koszko
05:05 AM Feature #40 (Feedback): Move documentation to wiki
jahoti

07/06/2021

12:26 AM Feature #50 (Closed): Standardize repository APIs/data formats
It doesn't need to be anything formal; however, without such a standard client- and server-side development in this a... jahoti
12:09 AM Feature #48: Load default_setting.json using XMLHttpRequest
(Responding here as the other issue is now resolved.)
> Btw, I am considering maintaining old build.sh alongside t...
jahoti
12:12 PM Feature #48 (Rejected): Load default_setting.json using XMLHttpRequest
I believe XMLHttpRequest can also be used to fetch extension's own files. After fetching the default settings file, w... koszko
12:05 AM Feature #44 (Resolved): Load in default settings using the build system
jahoti
01:48 PM Feature #44: Load in default settings using the build system
Btw, I am considering maintaining old build.sh alongside the new build.html. Plus, IMHO, changing to use XMLHttpReque... koszko
12:16 PM Feature #44: Load in default settings using the build system
That would be a very, very good idea (albeit much less relevant if the build system is rewritten in JS). jahoti
12:06 PM Feature #44: Load in default settings using the build system
Perhaps we could load default_settings.json using XMLHttpRequest and this way reduce the complexity of build system a... koszko
06:45 PM Feature #49 (Closed): add some nice styling to popup
Edit html/display-panel.html and html/display-panel.js, maybe add a separace .css file.
This shall involve heavy c...
koszko
06:27 PM Revision c86bdfcd (haketilo): Merge popup display
koszko
06:25 PM Revision b7e2870f (haketilo): show some settings of the current page in the popup
koszko
05:10 PM Feature #11: add some nice styling to settings page
By the way, "adding styling" is not supposed to mean just writing some CSS. Heavy changes to HTML, accompanied with u... koszko
01:51 PM Feature #22: supplement the build script with a makefile, also produce zipped artifacts
Unless we decide to keep the old build script and maintain both. Consider packaging of the extension for distros.
Ha...
koszko
12:19 PM Feature #22: supplement the build script with a makefile, also produce zipped artifacts
Potentially obsoleted by #47 jahoti
12:13 PM Feature #30: Rename the extension and find some good icon 🪓
Adjusted in reference to https://hachettebugs.koszko.org/boards/2/topics/6 jahoti
11:50 AM Feature #47 (Rejected): [Roadmap 24][Milestone] Rewrite the build script in a self-contained HTML file
Details here: https://hachettebugs.koszko.org/boards/1/topics/1
[Roadmap](/projects/hachette/wiki/Roadmap#Mileston...
koszko

07/05/2021

04:50 AM Feature #40: Move documentation to wiki
(Thank you for switching it to Markdown!)
The documentation is now all on the wiki, with a slight re-organization ...
jahoti

07/04/2021

12:12 AM Bug #42 (Rejected): Nonce not set on injected scripts
jahoti
11:05 PM Feature #40: Move documentation to wiki
Changed to Markdown as per your request koszko
05:59 AM Feature #40 (In Progress): Move documentation to wiki
Unless anybody else wants to take this task on, I'm happy to do so (having managed to create the wiki).
However, t...
jahoti
04:50 AM Feature #37: prepare some website fixes usable with this extension
Patch pushed to git (awaiting acceptance/rejection from master branch) changes the defaults to include a few tested f... jahoti
04:47 AM Feature #44 (In Progress): Load in default settings using the build system
Patch pushed to git; awaiting acceptance/rejection from master branch. jahoti
04:38 AM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
Thank you for the screenshot! Now I see what you mean, and do indeed have that ability (as well as wiki page creation... jahoti
02:00 AM Revision 2059fab6 (haketilo): Revamp default settings
Default settings are now provided in the same format as data exported from the
extension, incorporating them into the...
jahoti

07/02/2021

11:08 PM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
Perhaps. However, I also had hard time trying to find where the edit option is... Just in case - I am sending a scree... koszko
10:51 PM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
It partly helped- I can see a lot more options than previously! There's still no way to edit the issue, however, whic... jahoti
11:36 AM Feature #14 (In Progress): test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
I added you to the project. Perhaps it will work now koszko
02:55 AM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
I can't work out how to edit it in: Tor Browser 10.0.17 jahoti
09:34 PM Bug #39 (Closed): Redmine is unbelievably slow. do sth about it
koszko
11:55 AM Revision d0ae3939 (haketilo): enable opening settings page with certain item immediately in edit mode
koszko
11:54 AM Revision 8708ddd3 (haketilo): move parsing of url with targets to misc.js
koszko
11:48 AM Revision b4282398 (haketilo): ignore some special files (emacs automatic backups) when building
koszko
09:06 AM Feature #45 (Rejected): Add a universal wildcard for URLs
Potentially something to consider carefully, as it is obviously open to misuse, a way to signal a script should run o... jahoti
03:22 AM Feature #44 (Closed): Load in default settings using the build system
Currently default settings are integrated into the source code, which makes it difficult to add or modify the built-i... jahoti
03:01 AM Feature #8: add some good, sane error handling
Also what happens when the hash of a remotely loaded script doesn't match what is set- some update mechanism perhaps? jahoti
02:21 AM Feature #40: Move documentation to wiki
There's no wiki to move documentation to yet (it seems you're the only one with the power to create one). jahoti
02:09 AM Feature #43 (Rejected): Replace common/sha256.js with crypto.subtle
All supported browsers provide built-in support for hashing and other cryptographic methods through built-in APIs. Th... jahoti
02:02 AM Bug #42 (Rejected): Nonce not set on injected scripts
**Update: rejected as this the expected behaviour, and is present at least as far back as commit 86ad1c6e0cf8a9ec3a52... jahoti

07/01/2021

08:01 PM Feature #9 (In Progress): make page settings easily and conveniently editable in popup
koszko
12:10 PM Feature #9 (Rejected): make page settings easily and conveniently editable in popup
koszko
06:15 PM Feature #40 (Closed): Move documentation to wiki
Documentation is currently on https://koszko.org/browser-extension-doc.html and https://git.koszko.org/browser-extens... koszko
05:12 PM Revision 008efedd (haketilo): Employ issue tracker
koszko
04:52 PM Bug #39: Redmine is unbelievably slow. do sth about it
Seems to have been due to matrix-synapse I left running on the VPS eating all the RAM and swap... Let's let redmine o... koszko
04:50 PM Bug #39 (In Progress): Redmine is unbelievably slow. do sth about it
koszko
04:50 PM Bug #39 (Feedback): Redmine is unbelievably slow. do sth about it
koszko
04:07 PM Bug #39 (Closed): Redmine is unbelievably slow. do sth about it
koszko
01:52 PM Feature #38 (Rejected): Add support to also inject css files to pages
koszko
01:51 PM Feature #37 (Closed): prepare some website fixes usable with this extension
Hachette's goal (not the only one) is to enable fixing of nonfree-js-encumbered sites and sharing the fixes. However,... koszko
01:11 PM Feature #36 (Closed): prepare application for NLnet fund
Current efforts are on [[NLNet_application_for_UOI_Call_August_2021]]. koszko
01:07 PM Feature #34 (Closed): improve CSP injection blocking
There are some possible pathological cases like `<script>` before `<head>`. We should make sure CSP `<meta>` tag we i... koszko
01:05 PM Feature #33 (Rejected): Add more possibilities of page URL matching
Also support patterns for matching URLs by explicit ports, query parameters and maybe even POST request parameters. koszko
01:02 PM Feature #32 (Rejected): Process HTML files in data: URLs instead of just blocking them
Content scripts are said not to get loaded to pages opened from data: URLs. We're currently blocking data: page links... koszko
12:58 PM Feature #31 (Closed): add an option to disable script blocking globally
Some people might be less interested in swfreedom and more in potential features offered by our platform. koszko
12:57 PM Feature #30 (Closed): Rename the extension and find some good icon 🪓
In addition to the extension itself, the documentation (https://hachettebugs.koszko.org/projects/hachette/wiki) will ... koszko
12:55 PM Feature #29 (Closed): validate settings data on import
Settings data is imported and exported as json. Invalid JSON schema can currently cause import operation to throw an ... koszko
12:54 PM Feature #28 (Closed): split options_main.js into several smaller files
This file is betting bigger and bigger... koszko
12:53 PM Feature #27 (Rejected): make extension's all html files proper XHTML
koszko
12:53 PM Feature #26 (Closed): besides blocking scripts through csp, also block connections that needlessly fetch those scripts
koszko
12:52 PM Feature #25 (Closed): stop always using the same script nonce on given https(s) site
Other protocols are of no interest since they're not supported by WebRequest API. For HTTP(s), we could make things m... koszko
12:48 PM Feature #24 (Closed): validate data entered in settings
Right now it is possible to add a bag to itself and do other weird things... koszko
12:48 PM Feature #23 (Closed): also implement support for whitelisting of non-https urls
The method of policy smuggling through URL is already defined. What is needed is to perform a reload to a URL contain... koszko
12:45 PM Feature #22 (Closed): supplement the build script with a makefile, also produce zipped artifacts
Right now building is performed with `build.sh mozilla` or `build.sh chromium`. These produce directories with built ... koszko
12:42 PM Feature #21 (Rejected): rearrange files in extension
Currently, scripts are split between _background_, _content_, _common_ and _html_ directories. The idea was to arrang... koszko
12:39 PM Feature #20 (Rejected): block prefetch
Page can tell the browser to prefetch certain resources (such as scripts) even before they are used. If a script is n... koszko
12:37 PM Feature #19 (Rejected): check if prerendering has to be blocked
Modern "Web" added feature to allow page to specify other pages to be prerendered before they are opened in the brows... koszko
12:33 PM Feature #18 (Rejected): make it possible to inject scripts to arbitrary places in DOM
This might turn out not to be needed. Practice will show. For now - scripts are being injected at the end of <body> a... koszko
12:32 PM Feature #17 (Closed): enable the extension to automatically fetch script substitutes from the repo
Of course, we need the repo itself first. koszko
12:31 PM Feature #16 (Closed): create a repository to host scripts
This is a broad topic and will ultimately be a separate project on this tracker.
koszko
12:30 PM Feature #15 (Closed): make sure page's own csp in <head> doesn't block our scripts
Currently we inject scripts by creating a <script> tag and adding it at the end of <body>. We remove page's own csp H... koszko
12:28 PM Feature #14 (Rejected): test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
Currently used are:
by koszko:
* IceCat 60 (+ selenium)
* Ungoogled Chromium 90
* Parabola Iceweasel 75 (+ sele...
koszko
12:26 PM Feature #13 (Closed): find some way not to require each chrome user to modify manifest.json
Smuggling page's policy setting to content scripts without use of asynchronous APIs like messages system doesn't seem... koszko
12:15 PM Feature #12 (Rejected): make script bag components re-orderable
Implement drag&drop functionality to re-order bag components in settings page. koszko
12:13 PM Feature #11 (Closed): add some nice styling to settings page
Edit _html/options.html_, maybe extract styles into a separate .css file. koszko
12:12 PM Feature #10 (Rejected): show iframes settings in popup
In popup make it possible to view both main frame page's settings and settings for pages that currently happen to liv... koszko
12:03 PM Feature #8 (Closed): add some good, sane error handling
Storage accesses might sometimes fail (for example due to all available storage space being used up) and we could inf... koszko
11:56 AM Feature #7 (New): [Roadmap 34][Milestone] find some convenient way to automatically re-add intrinsic javascript
We want to be able to save sites' scripts for local serving and editing and we want sites to work properly with such ... koszko
11:41 AM Feature #6 (New): [Roadmap 34] make it possible to automatically download page's served scripts and save them
Of course, running the same nonfree scripts but served locally would not be a significant improvement. This feature w... koszko
11:35 AM Feature #5 (Closed): optimize url querying
Scripts are injected to pages with URLs matching specified patterns, like _https://**.example.com/something/*_. Curre... koszko
11:25 AM Feature #4 (Rejected): make it possible to cache remote scripts
When a script to inject is not stored locally but rather referenced by a URL, it gets downloaded every time it is nee... koszko
10:50 AM Feature #3 (Rejected): make it possible to provide backup urls for remote scripts
When defining a script to inject to pages, it is possible to provide a URL to download it from instead of the actual ... koszko
10:41 AM Feature #2 (Rejected): allow specifying whether a script occurring mutiple times should be included multiple times or once
It extension's settings page it is possible to make "script bags" and add scripts to them. A bag can also be added to... koszko
10:27 AM Feature #1 (Rejected): parallelize fetching of remote scripts
Besides scripts keps in extension's storage, it is also possible to define an injectable script using URL from which ... koszko

06/30/2021

04:39 PM Revision 12fd4fc3 (haketilo): fix whitelisting under Firefox
koszko
02:18 PM Revision c49e3750 (haketilo): remove trailing whitespace
koszko
02:13 PM Revision cd5272ac (haketilo): refactor 3 miscellaneous fnctionalities to a their single own file
koszko
12:28 PM Revision 261548ff (haketilo): emply an sh-based build system; make some changes to blocking
koszko

06/28/2021

02:00 AM Revision 83a8d263 (haketilo): Index two new files intended for the previous commit.
jahoti
02:00 AM Revision edbbe400 (haketilo): License script-blocking techniques from NoScript in machine-readable format.
In-page blocking now works on Firefox, and JavaScript/data- URLs are properly
blocked to ensure no JavaScript leaks i...
jahoti

06/26/2021

07:01 AM Revision 86ad1c6e (haketilo): remove mnetion of LGPL from javascript exception to the GPL
koszko

06/25/2021

01:58 PM Revision 4939e3a9 (haketilo): make it clear "A" license contains text from BSD license with its own copyright
koszko
11:48 AM Revision b93f26bf (haketilo): gather all copyright info in 'copyright' file
koszko

06/23/2021

03:38 AM Revision c744eb0e (haketilo): Fix storage initialization on Icecat 60
This patch fixes storage initialization on Gecko browsers by switching from
using a background page to using a list o...
jahoti

06/21/2021

02:00 AM Revision cad85119 (haketilo): change horizontal line style to light green
Nicholas Johnson

06/20/2021

02:00 AM Revision 348b792d (haketilo): add button styling
Nicholas Johnson

06/19/2021

09:26 PM Revision 659f532e (haketilo): add import/export functionality
Wojtek Kosior

06/18/2021

11:46 AM Revision 7c44b46e (haketilo): remove unused source files
Wojtek Kosior
11:45 AM Revision 9fead3a3 (haketilo): update Asshole license text
Wojtek Kosior
11:45 AM Revision 7ee7889a (haketilo): when possible inject CSP as http(s) header using webRequest instead of adding a <meta> tag
Wojtek Kosior
 

Also available in: Atom