Project

General

Profile

Activity

From 06/28/2021 to 07/27/2021

07/27/2021

01:01 PM Bug #53: Interference with existing CSP headers
> > Actually, when scripts are blocked, allowing CSP reports would make no sense because it would be violations of ou... koszko
12:03 PM Bug #53: Interference with existing CSP headers
Firstly, header-signing is working OK on Mozilla. While headers are cached across sessions, the secret is too; unless... jahoti
11:30 AM Bug #53: Interference with existing CSP headers
> > As to CSP violation report blocking - should we do that unconditionally? Perhaps there are some legitimate use ca... koszko
06:45 AM Bug #53: Interference with existing CSP headers
> I just notices one possible problem: what if Mozilla caches headers across browser sessions? If so, our "signing" o... jahoti
11:46 AM Feature #67 (Rejected): Document `common/sanitize_JSON.js`
This 400-line js file in `koszko` branch implements a declarative way of enforcing some format on JSON we parse. Unfo... koszko
11:41 AM Revision 2fa41a54 (haketilo): validate settings on import
koszko

07/26/2021

04:13 PM Feature #66 (Closed): Write tests
It seems problematic to test software that is meant to run as a browser extension - and it indeed is, especially when... koszko
01:37 PM Revision 64afd5b9 (haketilo): provide a facility to sanitize externally-obtained JSON
koszko
12:15 PM Bug #65 (Closed): When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
koszko
12:13 PM Bug #53: Interference with existing CSP headers
> The patch awaiting merge still doesn't address the CSP we inject *into* the page on Chromium, however. That will re... koszko
12:10 PM Revision 5fcc9808 (haketilo): code maintenance
koszko
11:09 AM Revision 97b8e30f (haketilo): Squash more CSP-filtering bugs
On Firefox, original CSP headers are now smuggled (signed) in an x-orig-csp
header to prevent re-processing issues wi...
jahoti
11:09 AM Revision e402e036 (haketilo): Fix some bugs in the refined CSP handling
jahoti
11:09 AM Revision fba4820b (haketilo): [UNTESTED- will test] Use more nuanced CSP filtering
CSP headers are now parsed and processed, rather than treated as simple
units. This allows us to ensure policies deli...
jahoti
11:09 AM Revision 57e4ed2b (haketilo): Remove unnecessary imports of url_item and add a CSP header-parsing function
The parsing function isn't used yet; however, it will eventually be as a less
destructive alternative to handling hea...
jahoti
09:22 AM Feature #48: Load default_setting.json using XMLHttpRequest
> Not necessarily.
>
> I think reference to how Arch packaging works might be useful here. Arch PKGBUILD script use...
jahoti
08:44 AM Feature #48: Load default_setting.json using XMLHttpRequest
> On the other hand, that could prevent offline builds; IDK.
Not necessarily.
I think reference to how Arch pac...
koszko
09:15 AM Feature #64: Plan the update system
> How about updating site scripts only when the user visits that site? There would only ever be a single script API r... jahoti
08:52 AM Feature #64: Plan the update system
How about updating site scripts only when the user visits that site? There would only ever be a single script API req... koszko

07/25/2021

09:31 AM Bug #53: Interference with existing CSP headers
The patch awaiting merge still doesn't address the CSP we inject *into* the page on Chromium, however. That will requ... jahoti
09:26 AM Bug #53: Interference with existing CSP headers
Patch committed; awaiting acceptance/rejection from master. While it's difficult to be fully confident it's clear, as... jahoti
09:29 AM Feature #19: check if prerendering has to be blocked
Blocking prefetching (as is done on pages without scripts enabled for <#20>) makes prerendering impossible. While it ... jahoti
09:27 AM Feature #20: block prefetch
This is implemented as part of the patch for #53 (it can be done with CSP). However, I couldn't work out how to test ... jahoti
09:13 AM Feature #64 (Closed): Plan the update system
The most natural approach, especially given what we currently have, would be to request information from the server o... jahoti
08:58 AM Feature #48: Load default_setting.json using XMLHttpRequest
Definitely the latter; moving fixes to the repository first would only be in order to have the build script(s) downlo... jahoti
02:00 AM Revision 24ad876c (haketilo): Squash more CSP-filtering bugs
On Firefox, original CSP headers are now smuggled (signed) in an x-orig-csp
header to prevent re-processing issues wi...
jahoti

07/24/2021

08:47 AM Feature #48: Load default_setting.json using XMLHttpRequest
Depends. We can make this issue obsolete and completely move bundled settings to the repo.
Or, after moving most o...
koszko

07/23/2021

12:38 AM Feature #48: Load default_setting.json using XMLHttpRequest
Preferrably preceded by: <https://hachettebugs.koszko.org/issues/59> jahoti
12:32 AM Feature #38: Add support to also inject css files to pages
Perhaps part of <https://hachettebugs.koszko.org/boards/1/topics/56>. jahoti
12:13 AM Feature #20 (In Progress): block prefetch
See <https://hachettebugs.koszko.org/issues/53#note-2>. jahoti
12:12 AM Bug #53 (In Progress): Interference with existing CSP headers
A fix is now implemented by parsing CSP headers for direct handling, which also allows removing of directives that re... jahoti
06:27 PM Feature #63 (Closed): Force <noscript> tags on pages where scripts are blocked
Other extensions should already have some code for this koszko
05:32 PM Revision d42dadca (haketilo): extract observables implementation from storage.js
koszko
11:57 AM Feature #50 (Closed): Standardize repository APIs/data formats
That seems good, and it's flexible enough (being JSON) to be modified as the system evolves or even if anybody disagr... jahoti

07/22/2021

11:18 AM Feature #50: Standardize repository APIs/data formats
How about a JSON interface? Later on we can simply add more fields to the JSON objects described now. Please tell wha... koszko
02:00 AM Revision 77139a6f (haketilo): Fix some bugs in the refined CSP handling
jahoti

07/21/2021

11:48 PM Bug #53: Interference with existing CSP headers
Currently working on this (albeit somewhat slowly). jahoti
10:00 PM Revision c483ae19 (haketilo): add ability to query page content from repo and display it in the popup
koszko
05:42 PM Revision 5c685518 (haketilo): store repository URLs in settings
koszko
05:40 PM Revision fb9c808c (haketilo): remove unused variables
koszko
04:23 PM Feature #50: Standardize repository APIs/data formats
Related topic: https://hachettebugs.koszko.org/boards/1/topics/56 koszko
04:21 PM Feature #25 (Closed): stop always using the same script nonce on given https(s) site
Ok, this has been merged yesterday koszko
09:18 AM Feature #30 (Closed): Rename the extension and find some good icon ๐Ÿช“
Merged to master :) koszko
02:00 AM Revision 57b80d72 (haketilo): [UNTESTED- will test] Use more nuanced CSP filtering
CSP headers are now parsed and processed, rather than treated as simple
units. This allows us to ensure policies deli...
jahoti
02:00 AM Revision efce4e98 (haketilo): Merge remote-tracking branch 'origin/koszko' into jahoti
jahoti
02:00 AM Revision efd6ae83 (haketilo): Remove unnecessary imports of url_item and add a CSP header-parsing function
The parsing function isn't used yet; however, it will eventually be as a less
destructive alternative to handling hea...
jahoti

07/20/2021

01:05 AM Feature #30: Rename the extension and find some good icon ๐Ÿช“
> I pushed it on my branch, waiting for your feedback
It's an emphatic "yes" from me on all counts!
(except Chr...
jahoti
12:15 PM Feature #30 (Feedback): Rename the extension and find some good icon ๐Ÿช“
Chromium rejected SVG icons, so I made it into PNG of various sizes. I automatized this with an sh loop and an inksca... koszko
12:03 PM Revision 081739e7 (haketilo): Merge rebranding to "Hachette"
koszko
11:25 AM Bug #54 (Closed): Remote-storage port(s) are disconnected while still in use
koszko
11:25 AM Bug #54: Remote-storage port(s) are disconnected while still in use
Turns out it was a page_info_server error caused by a typo (missed underscore caused some storage change callback not... koszko
10:26 AM Bug #54 (In Progress): Remote-storage port(s) are disconnected while still in use
Yes, I seems to happen exclusively after "View in settings" or "Edit in settings" is used. I now know that I introduc... koszko
11:20 AM Revision 82836b92 (haketilo): fix options_main.js bugs
koszko
11:19 AM Revision 9e26b71e (haketilo): fix page info server bugs
koszko
10:17 AM Revision 0c7c1ebd (haketilo): Merge commit 'ecb787046271de708b94da70240713e725299d86'
koszko

07/19/2021

12:01 AM Feature #30: Rename the extension and find some good icon ๐Ÿช“
Oh yes! That looks great, and after looking through the others I completely agree with picking it. Patch incoming! jahoti
01:12 PM Feature #30: Rename the extension and find some good icon ๐Ÿช“
How about:
https://publicdomainvectors.org/en/tag/hatchet
Out of those, I personally liek this one the most:
htt...
koszko
12:57 PM Feature #30: Rename the extension and find some good icon ๐Ÿช“
Patches for renaming have been pushed to both the `jahoti` and `nonce-PoC` branches.
All that remains, if that wen...
jahoti
09:03 AM Feature #30: Rename the extension and find some good icon ๐Ÿช“
The renaming part shouldn't take too long jahoti
10:18 AM Feature #27: make extension's all html files proper XHTML
Indeed :) koszko
02:00 AM Revision 97f683e2 (haketilo): Change the icon
jahoti
02:00 AM Revision 6b12a034 (haketilo): Refer to the extension consistently as "Hachette" and remove TODOS.org
from the copyright file jahoti

07/18/2021

07:45 AM Feature #27: make extension's all html files proper XHTML
Actually, not yet- should this be low priority? jahoti
07:42 AM Feature #27 (In Progress): make extension's all html files proper XHTML
Working on this. jahoti
07:41 AM Feature #36: prepare application for NLnet fund
Unassigning myself as it is no longer accurate or reasonable to say only one person is involved with it. jahoti
06:09 AM Bug #54: Remote-storage port(s) are disconnected while still in use
The issue, it turns out, can be reproduced by opening the popup on an unprivileged page and then playing with the set... jahoti
02:46 AM Bug #54: Remote-storage port(s) are disconnected while still in use
> Any additional details as to how to reproduce the error? I guess it must have something to do with closing of the s... jahoti
02:41 AM Feature #25: stop always using the same script nonce on given https(s) site
>> The base URL isn't sent in the settings; instead, if the unique value doesn't match then the listener assumes it c... jahoti
02:00 AM Revision ecb78704 (haketilo): Streamline and harden unique values/settings
The base URL is now included in the settings. The unique value no longer uses
it directly, as it is included by virtu...
jahoti

07/17/2021

09:58 PM Bug #54: Remote-storage port(s) are disconnected while still in use
That's possible. I've been fighting these ports also when making the popup page.
Any additional details as to how ...
koszko
09:12 AM Bug #54 (Closed): Remote-storage port(s) are disconnected while still in use
Potentially there are other issues with storage, and the situation may not even be limited to Gecko; however, these a... jahoti
02:50 PM Feature #25: stop always using the same script nonce on given https(s) site
> * The base URL isn't sent in the settings; instead, if the unique value doesn't match then the listener assumes it ... koszko
12:52 PM Feature #25: stop always using the same script nonce on given https(s) site
> I was arguing for drawing a salt and deriving the nonce from salt, URL, time and secret.
That makes sense!
> ...
jahoti
11:23 AM Feature #25: stop always using the same script nonce on given https(s) site
> Just to check, are you arguing for drawing one random value or a salt and, separately, a nonce?
I was arguing fo...
koszko
09:42 AM Feature #25: stop always using the same script nonce on given https(s) site
>> That would be OK- the nonce can be (and is) generated randomly for each request[...]
> And we need either salt or...
jahoti
08:33 AM Feature #25: stop always using the same script nonce on given https(s) site
jahoti wrote:
> >> In the current PoC that would still let them whitelist the page entirely
> > Right, I missed tha...
koszko
09:09 AM Bug #53 (Closed): Interference with existing CSP headers
Current handling of pre-existing CSP headers needs to be refined:
* Pre-existing http-equiv embeds and actual header...
jahoti
09:02 AM Bug #52 (Closed): Headers not updated on cached requests
Thanks for the API suggestions! It turns out the issue was indeed the same as you worked around earlier, and a minor ... jahoti
02:00 AM Revision 8b823e1a (haketilo): Revamp signatures and break header caching on FF
Signatures, instead of consisting of the secure salt followed by the unique
value generated from the URL, are now the...
jahoti

07/16/2021

12:25 AM Feature #25: stop always using the same script nonce on given https(s) site
>> In the current PoC that would still let them whitelist the page entirely
> Right, I missed that. How about when s...
jahoti
12:05 PM Feature #25: stop always using the same script nonce on given https(s) site
> >> Firstly, is there any point in drawing a random salt? It doesn't prevent a replay attack by itself
> > Not if s...
koszko
11:32 AM Feature #25: stop always using the same script nonce on given https(s) site
>> Firstly, is there any point in drawing a random salt? It doesn't prevent a replay attack by itself
> Not if someo...
jahoti
10:06 AM Feature #25: stop always using the same script nonce on given https(s) site
> Firstly, is there any point in drawing a random salt? It doesn't prevent a replay attack by itself
Not if someon...
koszko
09:03 AM Feature #25: stop always using the same script nonce on given https(s) site
> It does actually show up, at least under Chromium, but only for a moment. Or rather it used to show up, before I co... jahoti
09:33 AM Bug #52: Headers not updated on cached requests
There seem to be some APIs for that. The one that reloads a tab while bypassing cache seems to be the most promising:... koszko
09:06 AM Bug #52 (Closed): Headers not updated on cached requests
When a page is loaded from the cache (e.g. after reloading), we don't (can't?) modify the headers. That means, for in... jahoti
02:00 AM Revision 692577bb (haketilo): Use URL-based policy smuggling
Increase the power of URL-based smuggling by making it (effectively)
compulsory in all cases and adapting a <salt><un...
jahoti

07/14/2021

12:16 PM Feature #25: stop always using the same script nonce on given https(s) site
> Unless you get to it first, I'll try implementing it in the next 24 hours.
Go on. I am doing repo stuff right no...
koszko
11:27 AM Feature #25: stop always using the same script nonce on given https(s) site
I agree with doing it as a PoC with JSON-encoded settings; that was the idea I meant to communicate, even if (looking... jahoti
09:40 AM Feature #25: stop always using the same script nonce on given https(s) site
> While the details should still be discussed before declaring it finalized
It's still possible to make a proof-of...
koszko
07:28 AM Feature #25: stop always using the same script nonce on given https(s) site
> In general, after `#' we can have the unique value used to authenticate the injected string, followed by settings s... jahoti
11:57 AM Feature #36: prepare application for NLnet fund
Slightly adjusted to reflect the fact that there is now a stakeholders (ugh) section, a brief section on technical ch... jahoti
11:47 AM Feature #43 (Rejected): Replace common/sha256.js with crypto.subtle
As per message#49 this is dependent on dropping the use of unfixed verifiers ("unique values"), which is properly a s... jahoti

07/13/2021

12:22 PM Feature #25: stop always using the same script nonce on given https(s) site
> only question is how to fit it alongside the smuggled whitelisting code; do you have a possible scheme?
The whi...
koszko
11:46 AM Feature #25: stop always using the same script nonce on given https(s) site
> However, one more thing came to my mind. When rewriting headers, we could also smuggle the random nonce (or better ... jahoti
11:38 AM Feature #25: stop always using the same script nonce on given https(s) site
> > Also, have you thought about deriving HTTP(s) nonce from url, tab id and frame id? This way we would not need to ... koszko

07/12/2021

12:01 AM Feature #25: stop always using the same script nonce on given https(s) site
> I think we should also add some way to forget the nonces that are not going to be used anymore (for example because... jahoti
02:35 PM Feature #25 (In Progress): stop always using the same script nonce on given https(s) site
Merged into master. Honestly, I am neutral towards that unrelated patch.
I think we should also add some way to fo...
koszko
07:13 AM Feature #25 (Feedback): stop always using the same script nonce on given https(s) site
jahoti
07:08 AM Feature #25: stop always using the same script nonce on given https(s) site
Patch awaiting acceptance/rejection: testing on Chromium is *critical*, as there is a potential (albeit improbable) r... jahoti
02:22 PM Revision 1789f174 (haketilo): merge jahoti into master
koszko
07:14 AM Feature #44 (Resolved): Load in default settings using the build system
jahoti
07:10 AM Feature #44 (Feedback): Load in default settings using the build system
jahoti
07:10 AM Feature #44 (In Progress): Load in default settings using the build system
jahoti
07:09 AM Feature #44 (Feedback): Load in default settings using the build system
jahoti
02:00 AM Revision dcfc78b0 (haketilo): Stop using the nonce consistently for a URL
Nonces are now randomly generated, either in the page (for non-HTTP(S) pages)
or by a background module which stores ...
jahoti

07/11/2021

02:00 AM Revision 0e002513 (haketilo): Remove redundant nonce-based filtering in the script suppressor
jahoti
02:00 AM Revision 229e86f6 (haketilo): Integrate browser.js into exports_init.js, and streamline the result
jahoti

07/10/2021

01:43 AM Feature #51 (New): [Roadmap 10][Milestone] Support internationalization
The WebExtensions standard includes a system for supporting translation of the extension UI: <https://developer.mozil... jahoti

07/09/2021

05:16 PM Feature #40 (Closed): Move documentation to wiki
jahoti wrote:
> The only issue is a few references to the build system, which treat it as hypothetical;
I think t...
koszko
05:05 AM Feature #40 (Feedback): Move documentation to wiki
jahoti

07/06/2021

12:26 AM Feature #50 (Closed): Standardize repository APIs/data formats
It doesn't need to be anything formal; however, without such a standard client- and server-side development in this a... jahoti
12:09 AM Feature #48: Load default_setting.json using XMLHttpRequest
(Responding here as the other issue is now resolved.)
> Btw, I am considering maintaining old build.sh alongside t...
jahoti
12:12 PM Feature #48 (Rejected): Load default_setting.json using XMLHttpRequest
I believe XMLHttpRequest can also be used to fetch extension's own files. After fetching the default settings file, w... koszko
12:05 AM Feature #44 (Resolved): Load in default settings using the build system
jahoti
01:48 PM Feature #44: Load in default settings using the build system
Btw, I am considering maintaining old build.sh alongside the new build.html. Plus, IMHO, changing to use XMLHttpReque... koszko
12:16 PM Feature #44: Load in default settings using the build system
That would be a very, very good idea (albeit much less relevant if the build system is rewritten in JS). jahoti
12:06 PM Feature #44: Load in default settings using the build system
Perhaps we could load default_settings.json using XMLHttpRequest and this way reduce the complexity of build system a... koszko
06:45 PM Feature #49 (Closed): add some nice styling to popup
Edit html/display-panel.html and html/display-panel.js, maybe add a separace .css file.
This shall involve heavy c...
koszko
06:27 PM Revision c86bdfcd (haketilo): Merge popup display
koszko
06:25 PM Revision b7e2870f (haketilo): show some settings of the current page in the popup
koszko
05:10 PM Feature #11: add some nice styling to settings page
By the way, "adding styling" is not supposed to mean just writing some CSS. Heavy changes to HTML, accompanied with u... koszko
01:51 PM Feature #22: supplement the build script with a makefile, also produce zipped artifacts
Unless we decide to keep the old build script and maintain both. Consider packaging of the extension for distros.
Ha...
koszko
12:19 PM Feature #22: supplement the build script with a makefile, also produce zipped artifacts
Potentially obsoleted by #47 jahoti
12:13 PM Feature #30: Rename the extension and find some good icon ๐Ÿช“
Adjusted in reference to https://hachettebugs.koszko.org/boards/2/topics/6 jahoti
11:50 AM Feature #47 (Rejected): [Roadmap 24][Milestone] Rewrite the build script in a self-contained HTML file
Details here: https://hachettebugs.koszko.org/boards/1/topics/1
[Roadmap](/projects/hachette/wiki/Roadmap#Mileston...
koszko

07/05/2021

04:50 AM Feature #40: Move documentation to wiki
(Thank you for switching it to Markdown!)
The documentation is now all on the wiki, with a slight re-organization ...
jahoti

07/04/2021

12:12 AM Bug #42 (Rejected): Nonce not set on injected scripts
jahoti
11:05 PM Feature #40: Move documentation to wiki
Changed to Markdown as per your request koszko
05:59 AM Feature #40 (In Progress): Move documentation to wiki
Unless anybody else wants to take this task on, I'm happy to do so (having managed to create the wiki).
However, t...
jahoti
04:50 AM Feature #37: prepare some website fixes usable with this extension
Patch pushed to git (awaiting acceptance/rejection from master branch) changes the defaults to include a few tested f... jahoti
04:47 AM Feature #44 (In Progress): Load in default settings using the build system
Patch pushed to git; awaiting acceptance/rejection from master branch. jahoti
04:38 AM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
Thank you for the screenshot! Now I see what you mean, and do indeed have that ability (as well as wiki page creation... jahoti
02:00 AM Revision 2059fab6 (haketilo): Revamp default settings
Default settings are now provided in the same format as data exported from the
extension, incorporating them into the...
jahoti

07/02/2021

11:08 PM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
Perhaps. However, I also had hard time trying to find where the edit option is... Just in case - I am sending a scree... koszko
10:51 PM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
It partly helped- I can see a lot more options than previously! There's still no way to edit the issue, however, whic... jahoti
11:36 AM Feature #14 (In Progress): test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
I added you to the project. Perhaps it will work now koszko
02:55 AM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
I can't work out how to edit it in: Tor Browser 10.0.17 jahoti
09:34 PM Bug #39 (Closed): Redmine is unbelievably slow. do sth about it
koszko
11:55 AM Revision d0ae3939 (haketilo): enable opening settings page with certain item immediately in edit mode
koszko
11:54 AM Revision 8708ddd3 (haketilo): move parsing of url with targets to misc.js
koszko
11:48 AM Revision b4282398 (haketilo): ignore some special files (emacs automatic backups) when building
koszko
09:06 AM Feature #45 (Rejected): Add a universal wildcard for URLs
Potentially something to consider carefully, as it is obviously open to misuse, a way to signal a script should run o... jahoti
03:22 AM Feature #44 (Closed): Load in default settings using the build system
Currently default settings are integrated into the source code, which makes it difficult to add or modify the built-i... jahoti
03:01 AM Feature #8: add some good, sane error handling
Also what happens when the hash of a remotely loaded script doesn't match what is set- some update mechanism perhaps? jahoti
02:21 AM Feature #40: Move documentation to wiki
There's no wiki to move documentation to yet (it seems you're the only one with the power to create one). jahoti
02:09 AM Feature #43 (Rejected): Replace common/sha256.js with crypto.subtle
All supported browsers provide built-in support for hashing and other cryptographic methods through built-in APIs. Th... jahoti
02:02 AM Bug #42 (Rejected): Nonce not set on injected scripts
**Update: rejected as this the expected behaviour, and is present at least as far back as commit 86ad1c6e0cf8a9ec3a52... jahoti

07/01/2021

08:01 PM Feature #9 (In Progress): make page settings easily and conveniently editable in popup
koszko
12:10 PM Feature #9 (Rejected): make page settings easily and conveniently editable in popup
koszko
06:15 PM Feature #40 (Closed): Move documentation to wiki
Documentation is currently on https://koszko.org/browser-extension-doc.html and https://git.koszko.org/browser-extens... koszko
05:12 PM Revision 008efedd (haketilo): Employ issue tracker
koszko
04:52 PM Bug #39: Redmine is unbelievably slow. do sth about it
Seems to have been due to matrix-synapse I left running on the VPS eating all the RAM and swap... Let's let redmine o... koszko
04:50 PM Bug #39 (In Progress): Redmine is unbelievably slow. do sth about it
koszko
04:50 PM Bug #39 (Feedback): Redmine is unbelievably slow. do sth about it
koszko
04:07 PM Bug #39 (Closed): Redmine is unbelievably slow. do sth about it
koszko
01:52 PM Feature #38 (Rejected): Add support to also inject css files to pages
koszko
01:51 PM Feature #37 (Closed): prepare some website fixes usable with this extension
Hachette's goal (not the only one) is to enable fixing of nonfree-js-encumbered sites and sharing the fixes. However,... koszko
01:11 PM Feature #36 (Closed): prepare application for NLnet fund
Current efforts are on [[NLNet_application_for_UOI_Call_August_2021]]. koszko
01:07 PM Feature #34 (Closed): improve CSP injection blocking
There are some possible pathological cases like `<script>` before `<head>`. We should make sure CSP `<meta>` tag we i... koszko
01:05 PM Feature #33 (Rejected): Add more possibilities of page URL matching
Also support patterns for matching URLs by explicit ports, query parameters and maybe even POST request parameters. koszko
01:02 PM Feature #32 (Rejected): Process HTML files in data: URLs instead of just blocking them
Content scripts are said not to get loaded to pages opened from data: URLs. We're currently blocking data: page links... koszko
12:58 PM Feature #31 (Closed): add an option to disable script blocking globally
Some people might be less interested in swfreedom and more in potential features offered by our platform. koszko
12:57 PM Feature #30 (Closed): Rename the extension and find some good icon ๐Ÿช“
In addition to the extension itself, the documentation (https://hachettebugs.koszko.org/projects/hachette/wiki) will ... koszko
12:55 PM Feature #29 (Closed): validate settings data on import
Settings data is imported and exported as json. Invalid JSON schema can currently cause import operation to throw an ... koszko
12:54 PM Feature #28 (Closed): split options_main.js into several smaller files
This file is betting bigger and bigger... koszko
12:53 PM Feature #27 (Rejected): make extension's all html files proper XHTML
koszko
12:53 PM Feature #26 (Closed): besides blocking scripts through csp, also block connections that needlessly fetch those scripts
koszko
12:52 PM Feature #25 (Closed): stop always using the same script nonce on given https(s) site
Other protocols are of no interest since they're not supported by WebRequest API. For HTTP(s), we could make things m... koszko
12:48 PM Feature #24 (Closed): validate data entered in settings
Right now it is possible to add a bag to itself and do other weird things... koszko
12:48 PM Feature #23 (Closed): also implement support for whitelisting of non-https urls
The method of policy smuggling through URL is already defined. What is needed is to perform a reload to a URL contain... koszko
12:45 PM Feature #22 (Closed): supplement the build script with a makefile, also produce zipped artifacts
Right now building is performed with `build.sh mozilla` or `build.sh chromium`. These produce directories with built ... koszko
12:42 PM Feature #21 (Rejected): rearrange files in extension
Currently, scripts are split between _background_, _content_, _common_ and _html_ directories. The idea was to arrang... koszko
12:39 PM Feature #20 (Rejected): block prefetch
Page can tell the browser to prefetch certain resources (such as scripts) even before they are used. If a script is n... koszko
12:37 PM Feature #19 (Rejected): check if prerendering has to be blocked
Modern "Web" added feature to allow page to specify other pages to be prerendered before they are opened in the brows... koszko
12:33 PM Feature #18 (Rejected): make it possible to inject scripts to arbitrary places in DOM
This might turn out not to be needed. Practice will show. For now - scripts are being injected at the end of <body> a... koszko
12:32 PM Feature #17 (Closed): enable the extension to automatically fetch script substitutes from the repo
Of course, we need the repo itself first. koszko
12:31 PM Feature #16 (Closed): create a repository to host scripts
This is a broad topic and will ultimately be a separate project on this tracker.
koszko
12:30 PM Feature #15 (Closed): make sure page's own csp in <head> doesn't block our scripts
Currently we inject scripts by creating a <script> tag and adding it at the end of <body>. We remove page's own csp H... koszko
12:28 PM Feature #14 (Rejected): test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
Currently used are:
by koszko:
* IceCat 60 (+ selenium)
* Ungoogled Chromium 90
* Parabola Iceweasel 75 (+ sele...
koszko
12:26 PM Feature #13 (Closed): find some way not to require each chrome user to modify manifest.json
Smuggling page's policy setting to content scripts without use of asynchronous APIs like messages system doesn't seem... koszko
12:15 PM Feature #12 (Rejected): make script bag components re-orderable
Implement drag&drop functionality to re-order bag components in settings page. koszko
12:13 PM Feature #11 (Closed): add some nice styling to settings page
Edit _html/options.html_, maybe extract styles into a separate .css file. koszko
12:12 PM Feature #10 (Rejected): show iframes settings in popup
In popup make it possible to view both main frame page's settings and settings for pages that currently happen to liv... koszko
12:03 PM Feature #8 (Closed): add some good, sane error handling
Storage accesses might sometimes fail (for example due to all available storage space being used up) and we could inf... koszko
11:56 AM Feature #7 (New): [Roadmap 34][Milestone] find some convenient way to automatically re-add intrinsic javascript
We want to be able to save sites' scripts for local serving and editing and we want sites to work properly with such ... koszko
11:41 AM Feature #6 (New): [Roadmap 34] make it possible to automatically download page's served scripts and save them
Of course, running the same nonfree scripts but served locally would not be a significant improvement. This feature w... koszko
11:35 AM Feature #5 (Closed): optimize url querying
Scripts are injected to pages with URLs matching specified patterns, like _https://**.example.com/something/*_. Curre... koszko
11:25 AM Feature #4 (Rejected): make it possible to cache remote scripts
When a script to inject is not stored locally but rather referenced by a URL, it gets downloaded every time it is nee... koszko
10:50 AM Feature #3 (Rejected): make it possible to provide backup urls for remote scripts
When defining a script to inject to pages, it is possible to provide a URL to download it from instead of the actual ... koszko
10:41 AM Feature #2 (Rejected): allow specifying whether a script occurring mutiple times should be included multiple times or once
It extension's settings page it is possible to make "script bags" and add scripts to them. A bag can also be added to... koszko
10:27 AM Feature #1 (Rejected): parallelize fetching of remote scripts
Besides scripts keps in extension's storage, it is also possible to define an injectable script using URL from which ... koszko

06/30/2021

04:39 PM Revision 12fd4fc3 (haketilo): fix whitelisting under Firefox
koszko
02:18 PM Revision c49e3750 (haketilo): remove trailing whitespace
koszko
02:13 PM Revision cd5272ac (haketilo): refactor 3 miscellaneous fnctionalities to a their single own file
koszko
12:28 PM Revision 261548ff (haketilo): emply an sh-based build system; make some changes to blocking
koszko

06/28/2021

02:00 AM Revision 83a8d263 (haketilo): Index two new files intended for the previous commit.
jahoti
02:00 AM Revision edbbe400 (haketilo): License script-blocking techniques from NoScript in machine-readable format.
In-page blocking now works on Firefox, and JavaScript/data- URLs are properly
blocked to ensure no JavaScript leaks i...
jahoti
 

Also available in: Atom