Activity
From 06/22/2021 to 07/21/2021
07/21/2021
- 11:48 PM Bug #53: Interference with existing CSP headers
- Currently working on this (albeit somewhat slowly).
- 04:23 PM Feature #50: Standardize repository APIs/data formats
- Related topic: https://hachettebugs.koszko.org/boards/1/topics/56
- 04:21 PM Feature #25 (Closed): stop always using the same script nonce on given https(s) site
- Ok, this has been merged yesterday
- 09:18 AM Feature #30 (Closed): Rename the extension and find some good icon ๐ช
- Merged to master :)
07/20/2021
- 01:05 AM Feature #30: Rename the extension and find some good icon ๐ช
- > I pushed it on my branch, waiting for your feedback
It's an emphatic "yes" from me on all counts!
(except Chr... - 12:15 PM Feature #30 (Feedback): Rename the extension and find some good icon ๐ช
- Chromium rejected SVG icons, so I made it into PNG of various sizes. I automatized this with an sh loop and an inksca...
- 11:25 AM Bug #54 (Closed): Remote-storage port(s) are disconnected while still in use
- 11:25 AM Bug #54: Remote-storage port(s) are disconnected while still in use
- Turns out it was a page_info_server error caused by a typo (missed underscore caused some storage change callback not...
- 10:26 AM Bug #54 (In Progress): Remote-storage port(s) are disconnected while still in use
- Yes, I seems to happen exclusively after "View in settings" or "Edit in settings" is used. I now know that I introduc...
07/19/2021
- 12:01 AM Feature #30: Rename the extension and find some good icon ๐ช
- Oh yes! That looks great, and after looking through the others I completely agree with picking it. Patch incoming!
- 01:12 PM Feature #30: Rename the extension and find some good icon ๐ช
- How about:
https://publicdomainvectors.org/en/tag/hatchet
Out of those, I personally liek this one the most:
htt... - 12:57 PM Feature #30: Rename the extension and find some good icon ๐ช
- Patches for renaming have been pushed to both the `jahoti` and `nonce-PoC` branches.
All that remains, if that wen... - 09:03 AM Feature #30: Rename the extension and find some good icon ๐ช
- The renaming part shouldn't take too long
- 10:18 AM Feature #27: make extension's all html files proper XHTML
- Indeed :)
07/18/2021
- 07:45 AM Feature #27: make extension's all html files proper XHTML
- Actually, not yet- should this be low priority?
- 07:42 AM Feature #27 (In Progress): make extension's all html files proper XHTML
- Working on this.
- 07:41 AM Feature #36: prepare application for NLnet fund
- Unassigning myself as it is no longer accurate or reasonable to say only one person is involved with it.
- 06:09 AM Bug #54: Remote-storage port(s) are disconnected while still in use
- The issue, it turns out, can be reproduced by opening the popup on an unprivileged page and then playing with the set...
- 02:46 AM Bug #54: Remote-storage port(s) are disconnected while still in use
- > Any additional details as to how to reproduce the error? I guess it must have something to do with closing of the s...
- 02:41 AM Feature #25: stop always using the same script nonce on given https(s) site
- >> The base URL isn't sent in the settings; instead, if the unique value doesn't match then the listener assumes it c...
07/17/2021
- 09:58 PM Bug #54: Remote-storage port(s) are disconnected while still in use
- That's possible. I've been fighting these ports also when making the popup page.
Any additional details as to how ... - 09:12 AM Bug #54 (Closed): Remote-storage port(s) are disconnected while still in use
- Potentially there are other issues with storage, and the situation may not even be limited to Gecko; however, these a...
- 02:50 PM Feature #25: stop always using the same script nonce on given https(s) site
- > * The base URL isn't sent in the settings; instead, if the unique value doesn't match then the listener assumes it ...
- 12:52 PM Feature #25: stop always using the same script nonce on given https(s) site
- > I was arguing for drawing a salt and deriving the nonce from salt, URL, time and secret.
That makes sense!
> ... - 11:23 AM Feature #25: stop always using the same script nonce on given https(s) site
- > Just to check, are you arguing for drawing one random value or a salt and, separately, a nonce?
I was arguing fo... - 09:42 AM Feature #25: stop always using the same script nonce on given https(s) site
- >> That would be OK- the nonce can be (and is) generated randomly for each request[...]
> And we need either salt or... - 08:33 AM Feature #25: stop always using the same script nonce on given https(s) site
- jahoti wrote:
> >> In the current PoC that would still let them whitelist the page entirely
> > Right, I missed tha... - 09:09 AM Bug #53 (Closed): Interference with existing CSP headers
- Current handling of pre-existing CSP headers needs to be refined:
* Pre-existing http-equiv embeds and actual header... - 09:02 AM Bug #52 (Closed): Headers not updated on cached requests
- Thanks for the API suggestions! It turns out the issue was indeed the same as you worked around earlier, and a minor ...
07/16/2021
- 12:25 AM Feature #25: stop always using the same script nonce on given https(s) site
- >> In the current PoC that would still let them whitelist the page entirely
> Right, I missed that. How about when s... - 12:05 PM Feature #25: stop always using the same script nonce on given https(s) site
- > >> Firstly, is there any point in drawing a random salt? It doesn't prevent a replay attack by itself
> > Not if s... - 11:32 AM Feature #25: stop always using the same script nonce on given https(s) site
- >> Firstly, is there any point in drawing a random salt? It doesn't prevent a replay attack by itself
> Not if someo... - 10:06 AM Feature #25: stop always using the same script nonce on given https(s) site
- > Firstly, is there any point in drawing a random salt? It doesn't prevent a replay attack by itself
Not if someon... - 09:03 AM Feature #25: stop always using the same script nonce on given https(s) site
- > It does actually show up, at least under Chromium, but only for a moment. Or rather it used to show up, before I co...
- 09:33 AM Bug #52: Headers not updated on cached requests
- There seem to be some APIs for that. The one that reloads a tab while bypassing cache seems to be the most promising:...
- 09:06 AM Bug #52 (Closed): Headers not updated on cached requests
- When a page is loaded from the cache (e.g. after reloading), we don't (can't?) modify the headers. That means, for in...
07/14/2021
- 12:16 PM Feature #25: stop always using the same script nonce on given https(s) site
- > Unless you get to it first, I'll try implementing it in the next 24 hours.
Go on. I am doing repo stuff right no... - 11:27 AM Feature #25: stop always using the same script nonce on given https(s) site
- I agree with doing it as a PoC with JSON-encoded settings; that was the idea I meant to communicate, even if (looking...
- 09:40 AM Feature #25: stop always using the same script nonce on given https(s) site
- > While the details should still be discussed before declaring it finalized
It's still possible to make a proof-of... - 07:28 AM Feature #25: stop always using the same script nonce on given https(s) site
- > In general, after `#' we can have the unique value used to authenticate the injected string, followed by settings s...
- 11:57 AM Feature #36: prepare application for NLnet fund
- Slightly adjusted to reflect the fact that there is now a stakeholders (ugh) section, a brief section on technical ch...
- 11:47 AM Feature #43 (Rejected): Replace common/sha256.js with crypto.subtle
- As per message#49 this is dependent on dropping the use of unfixed verifiers ("unique values"), which is properly a s...
07/13/2021
- 12:22 PM Feature #25: stop always using the same script nonce on given https(s) site
- > only question is how to fit it alongside the smuggled whitelisting code; do you have a possible scheme?
The whi... - 11:46 AM Feature #25: stop always using the same script nonce on given https(s) site
- > However, one more thing came to my mind. When rewriting headers, we could also smuggle the random nonce (or better ...
- 11:38 AM Feature #25: stop always using the same script nonce on given https(s) site
- > > Also, have you thought about deriving HTTP(s) nonce from url, tab id and frame id? This way we would not need to ...
07/12/2021
- 12:01 AM Feature #25: stop always using the same script nonce on given https(s) site
- > I think we should also add some way to forget the nonces that are not going to be used anymore (for example because...
- 02:35 PM Feature #25 (In Progress): stop always using the same script nonce on given https(s) site
- Merged into master. Honestly, I am neutral towards that unrelated patch.
I think we should also add some way to fo... - 07:13 AM Feature #25 (Feedback): stop always using the same script nonce on given https(s) site
- 07:08 AM Feature #25: stop always using the same script nonce on given https(s) site
- Patch awaiting acceptance/rejection: testing on Chromium is *critical*, as there is a potential (albeit improbable) r...
- 07:14 AM Feature #44 (Resolved): Load in default settings using the build system
- 07:10 AM Feature #44 (Feedback): Load in default settings using the build system
- 07:10 AM Feature #44 (In Progress): Load in default settings using the build system
- 07:09 AM Feature #44 (Feedback): Load in default settings using the build system
07/10/2021
- 01:43 AM Feature #51 (New): [Roadmap 10][Milestone] Support internationalization
- The WebExtensions standard includes a system for supporting translation of the extension UI: <https://developer.mozil...
07/09/2021
- 05:16 PM Feature #40 (Closed): Move documentation to wiki
- jahoti wrote:
> The only issue is a few references to the build system, which treat it as hypothetical;
I think t... - 05:05 AM Feature #40 (Feedback): Move documentation to wiki
07/06/2021
- 12:26 AM Feature #50 (Closed): Standardize repository APIs/data formats
- It doesn't need to be anything formal; however, without such a standard client- and server-side development in this a...
- 12:09 AM Feature #48: Load default_setting.json using XMLHttpRequest
- (Responding here as the other issue is now resolved.)
> Btw, I am considering maintaining old build.sh alongside t... - 12:12 PM Feature #48 (Rejected): Load default_setting.json using XMLHttpRequest
- I believe XMLHttpRequest can also be used to fetch extension's own files. After fetching the default settings file, w...
- 12:05 AM Feature #44 (Resolved): Load in default settings using the build system
- 01:48 PM Feature #44: Load in default settings using the build system
- Btw, I am considering maintaining old build.sh alongside the new build.html. Plus, IMHO, changing to use XMLHttpReque...
- 12:16 PM Feature #44: Load in default settings using the build system
- That would be a very, very good idea (albeit much less relevant if the build system is rewritten in JS).
- 12:06 PM Feature #44: Load in default settings using the build system
- Perhaps we could load default_settings.json using XMLHttpRequest and this way reduce the complexity of build system a...
- 06:45 PM Feature #49 (Closed): add some nice styling to popup
- Edit html/display-panel.html and html/display-panel.js, maybe add a separace .css file.
This shall involve heavy c... - 05:10 PM Feature #11: add some nice styling to settings page
- By the way, "adding styling" is not supposed to mean just writing some CSS. Heavy changes to HTML, accompanied with u...
- 01:51 PM Feature #22: supplement the build script with a makefile, also produce zipped artifacts
- Unless we decide to keep the old build script and maintain both. Consider packaging of the extension for distros.
Ha... - 12:19 PM Feature #22: supplement the build script with a makefile, also produce zipped artifacts
- Potentially obsoleted by #47
- 12:13 PM Feature #30: Rename the extension and find some good icon ๐ช
- Adjusted in reference to https://hachettebugs.koszko.org/boards/2/topics/6
- 11:50 AM Feature #47 (Rejected): [Roadmap 24][Milestone] Rewrite the build script in a self-contained HTML file
- Details here: https://hachettebugs.koszko.org/boards/1/topics/1
[Roadmap](/projects/hachette/wiki/Roadmap#Mileston...
07/05/2021
- 04:50 AM Feature #40: Move documentation to wiki
- (Thank you for switching it to Markdown!)
The documentation is now all on the wiki, with a slight re-organization ...
07/04/2021
- 12:12 AM Bug #42 (Rejected): Nonce not set on injected scripts
- 11:05 PM Feature #40: Move documentation to wiki
- Changed to Markdown as per your request
- 05:59 AM Feature #40 (In Progress): Move documentation to wiki
- Unless anybody else wants to take this task on, I'm happy to do so (having managed to create the wiki).
However, t... - 04:50 AM Feature #37: prepare some website fixes usable with this extension
- Patch pushed to git (awaiting acceptance/rejection from master branch) changes the defaults to include a few tested f...
- 04:47 AM Feature #44 (In Progress): Load in default settings using the build system
- Patch pushed to git; awaiting acceptance/rejection from master branch.
- 04:38 AM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
- Thank you for the screenshot! Now I see what you mean, and do indeed have that ability (as well as wiki page creation...
07/02/2021
- 11:08 PM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
- Perhaps. However, I also had hard time trying to find where the edit option is... Just in case - I am sending a scree...
- 10:51 PM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
- It partly helped- I can see a lot more options than previously! There's still no way to edit the issue, however, whic...
- 11:36 AM Feature #14 (In Progress): test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
- I added you to the project. Perhaps it will work now
- 02:55 AM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
- I can't work out how to edit it in: Tor Browser 10.0.17
- 09:34 PM Bug #39 (Closed): Redmine is unbelievably slow. do sth about it
- 09:06 AM Feature #45 (Rejected): Add a universal wildcard for URLs
- Potentially something to consider carefully, as it is obviously open to misuse, a way to signal a script should run o...
- 03:22 AM Feature #44 (Closed): Load in default settings using the build system
- Currently default settings are integrated into the source code, which makes it difficult to add or modify the built-i...
- 03:01 AM Feature #8: add some good, sane error handling
- Also what happens when the hash of a remotely loaded script doesn't match what is set- some update mechanism perhaps?
- 02:21 AM Feature #40: Move documentation to wiki
- There's no wiki to move documentation to yet (it seems you're the only one with the power to create one).
- 02:09 AM Feature #43 (Rejected): Replace common/sha256.js with crypto.subtle
- All supported browsers provide built-in support for hashing and other cryptographic methods through built-in APIs. Th...
- 02:02 AM Bug #42 (Rejected): Nonce not set on injected scripts
- **Update: rejected as this the expected behaviour, and is present at least as far back as commit 86ad1c6e0cf8a9ec3a52...
07/01/2021
- 08:01 PM Feature #9 (In Progress): make page settings easily and conveniently editable in popup
- 12:10 PM Feature #9 (Rejected): make page settings easily and conveniently editable in popup
- 06:15 PM Feature #40 (Closed): Move documentation to wiki
- Documentation is currently on https://koszko.org/browser-extension-doc.html and https://git.koszko.org/browser-extens...
- 04:52 PM Bug #39: Redmine is unbelievably slow. do sth about it
- Seems to have been due to matrix-synapse I left running on the VPS eating all the RAM and swap... Let's let redmine o...
- 04:50 PM Bug #39 (In Progress): Redmine is unbelievably slow. do sth about it
- 04:50 PM Bug #39 (Feedback): Redmine is unbelievably slow. do sth about it
- 04:07 PM Bug #39 (Closed): Redmine is unbelievably slow. do sth about it
- 01:52 PM Feature #38 (Rejected): Add support to also inject css files to pages
- 01:51 PM Feature #37 (Closed): prepare some website fixes usable with this extension
- Hachette's goal (not the only one) is to enable fixing of nonfree-js-encumbered sites and sharing the fixes. However,...
- 01:11 PM Feature #36 (Closed): prepare application for NLnet fund
- Current efforts are on [[NLNet_application_for_UOI_Call_August_2021]].
- 01:07 PM Feature #34 (Closed): improve CSP injection blocking
- There are some possible pathological cases like `<script>` before `<head>`. We should make sure CSP `<meta>` tag we i...
- 01:05 PM Feature #33 (Rejected): Add more possibilities of page URL matching
- Also support patterns for matching URLs by explicit ports, query parameters and maybe even POST request parameters.
- 01:02 PM Feature #32 (Rejected): Process HTML files in data: URLs instead of just blocking them
- Content scripts are said not to get loaded to pages opened from data: URLs. We're currently blocking data: page links...
- 12:58 PM Feature #31 (Closed): add an option to disable script blocking globally
- Some people might be less interested in swfreedom and more in potential features offered by our platform.
- 12:57 PM Feature #30 (Closed): Rename the extension and find some good icon ๐ช
- In addition to the extension itself, the documentation (https://hachettebugs.koszko.org/projects/hachette/wiki) will ...
- 12:55 PM Feature #29 (Closed): validate settings data on import
- Settings data is imported and exported as json. Invalid JSON schema can currently cause import operation to throw an ...
- 12:54 PM Feature #28 (Closed): split options_main.js into several smaller files
- This file is betting bigger and bigger...
- 12:53 PM Feature #27 (Rejected): make extension's all html files proper XHTML
- 12:53 PM Feature #26 (Closed): besides blocking scripts through csp, also block connections that needlessly fetch those scripts
- 12:52 PM Feature #25 (Closed): stop always using the same script nonce on given https(s) site
- Other protocols are of no interest since they're not supported by WebRequest API. For HTTP(s), we could make things m...
- 12:48 PM Feature #24 (Closed): validate data entered in settings
- Right now it is possible to add a bag to itself and do other weird things...
- 12:48 PM Feature #23 (Closed): also implement support for whitelisting of non-https urls
- The method of policy smuggling through URL is already defined. What is needed is to perform a reload to a URL contain...
- 12:45 PM Feature #22 (Closed): supplement the build script with a makefile, also produce zipped artifacts
- Right now building is performed with `build.sh mozilla` or `build.sh chromium`. These produce directories with built ...
- 12:42 PM Feature #21 (Rejected): rearrange files in extension
- Currently, scripts are split between _background_, _content_, _common_ and _html_ directories. The idea was to arrang...
- 12:39 PM Feature #20 (Rejected): block prefetch
- Page can tell the browser to prefetch certain resources (such as scripts) even before they are used. If a script is n...
- 12:37 PM Feature #19 (Rejected): check if prerendering has to be blocked
- Modern "Web" added feature to allow page to specify other pages to be prerendered before they are opened in the brows...
- 12:33 PM Feature #18 (Rejected): make it possible to inject scripts to arbitrary places in DOM
- This might turn out not to be needed. Practice will show. For now - scripts are being injected at the end of <body> a...
- 12:32 PM Feature #17 (Closed): enable the extension to automatically fetch script substitutes from the repo
- Of course, we need the repo itself first.
- 12:31 PM Feature #16 (Closed): create a repository to host scripts
- This is a broad topic and will ultimately be a separate project on this tracker.
- 12:30 PM Feature #15 (Closed): make sure page's own csp in <head> doesn't block our scripts
- Currently we inject scripts by creating a <script> tag and adding it at the end of <body>. We remove page's own csp H...
- 12:28 PM Feature #14 (Rejected): test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
- Currently used are:
by koszko:
* IceCat 60 (+ selenium)
* Ungoogled Chromium 90
* Parabola Iceweasel 75 (+ sele... - 12:26 PM Feature #13 (Closed): find some way not to require each chrome user to modify manifest.json
- Smuggling page's policy setting to content scripts without use of asynchronous APIs like messages system doesn't seem...
- 12:15 PM Feature #12 (Rejected): make script bag components re-orderable
- Implement drag&drop functionality to re-order bag components in settings page.
- 12:13 PM Feature #11 (Closed): add some nice styling to settings page
- Edit _html/options.html_, maybe extract styles into a separate .css file.
- 12:12 PM Feature #10 (Rejected): show iframes settings in popup
- In popup make it possible to view both main frame page's settings and settings for pages that currently happen to liv...
- 12:03 PM Feature #8 (Closed): add some good, sane error handling
- Storage accesses might sometimes fail (for example due to all available storage space being used up) and we could inf...
- 11:56 AM Feature #7 (New): [Roadmap 34][Milestone] find some convenient way to automatically re-add intrinsic javascript
- We want to be able to save sites' scripts for local serving and editing and we want sites to work properly with such ...
- 11:41 AM Feature #6 (New): [Roadmap 34] make it possible to automatically download page's served scripts and save them
- Of course, running the same nonfree scripts but served locally would not be a significant improvement. This feature w...
- 11:35 AM Feature #5 (Closed): optimize url querying
- Scripts are injected to pages with URLs matching specified patterns, like _https://**.example.com/something/*_. Curre...
- 11:25 AM Feature #4 (Rejected): make it possible to cache remote scripts
- When a script to inject is not stored locally but rather referenced by a URL, it gets downloaded every time it is nee...
- 10:50 AM Feature #3 (Rejected): make it possible to provide backup urls for remote scripts
- When defining a script to inject to pages, it is possible to provide a URL to download it from instead of the actual ...
- 10:41 AM Feature #2 (Rejected): allow specifying whether a script occurring mutiple times should be included multiple times or once
- It extension's settings page it is possible to make "script bags" and add scripts to them. A bag can also be added to...
- 10:27 AM Feature #1 (Rejected): parallelize fetching of remote scripts
- Besides scripts keps in extension's storage, it is also possible to define an injectable script using URL from which ...
Also available in: Atom