Haketilo

08/06/2021

05:20 PM Feature #17: enable the extension to automatically fetch script substitutes from the repo

I ended up doing quite a lot of changes as prerequisites of this. The seemingly working product is now on my branch.
... koszko

02:42 AM Feature #66: Write tests

> Please for now only focus on things that are not going to change quickly.
I'll make sure to once it gets to tha... jahoti

08/05/2021

12:30 PM Feature #66: Write tests

jahoti wrote:
> This is now off to a (very slow) start.
>
> It's currently in a separate folder to Hachette; shou... koszko

11:47 AM Feature #66: Write tests

This is now off to a (very slow) start.
It's currently in a separate folder to Hachette; should that continue, or ... jahoti

12:15 PM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS

> > Also, perhaps we'd be able to spoof a `Referer: https://example.com/` header by opening `https://example.com/` in... koszko

11:32 AM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS

> Does WebRequest not allow rewriting of [the referer] header?
WebRequest probably does actually; thanks for point... jahoti

08/04/2021

10:19 AM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS

> > BTW, we could also facilitate spoofing of the referer header for similar purposes
>
> Are extensions allowed t... koszko

08/03/2021

11:48 PM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS

> BTW, we could also facilitate spoofing of the referer header for similar purposes
Are extensions allowed to spoo... jahoti

11:29 PM Feature #69: [Roadmap 7][Milestone] Facilitate bundling HTML/XML/JSON and other data with a fix

We definitely need to support this; the question is, as you point out, how. Using the `script` tag is probably an abu... jahoti

08/02/2021

01:19 AM Feature #13: find some way not to require each chrome user to modify manifest.json

Please note that under Manifest V3 in Chrome we'll be able to dynamically register content scripts which might solve ... koszko

12:50 AM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS

BTW, we could also facilitate spoofing of the referer header for similar purposes
EDIT: GreaseMonkey actually has ... koszko

11:49 PM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS

While they're not the **only** use (as outlined in the description), meta-sites will almost certainly be the main app... jahoti

04:09 PM Feature #71 (Closed): [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS

Cross-Origin Resource Sharing (CORS) is a mechanism through which browsers can decide whether a page should or should... koszko

11:51 PM Feature #69: [Roadmap 7][Milestone] Facilitate bundling HTML/XML/JSON and other data with a fix

I've seen this, and will reply later. jahoti

02:44 PM Feature #69 (New): [Roadmap 7][Milestone] Facilitate bundling HTML/XML/JSON and other data with a fix

Consider fixes like that for Google Sheets[^gsheets_script]. They heavily use `document.createElement()` to construct... koszko

11:47 PM Feature #73 (New): [Roadmap 6] Implement a permissions system

This seems to be a common component of several security- and feature-related powers now. It probably deserves a stand... jahoti

11:38 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> Correct assumption [that I'm working on Odyssey]. I should've stated that explicitly
That's OK- it would have be... jahoti

01:18 PM Support #68 (Closed): Prepare some screenshot documenting sites fixed using Hachette

> I've left work on the Odyssey fix to you, on the assumption that you were working on it
Correct assumption. I sh... koszko

11:14 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette

I've left work on the Odyssey fix to you, on the assumption that you were working on it- sorry if I was misunderstand... jahoti

05:00 PM Feature #36 (Closed): prepare application for NLnet fund

koszko

04:24 PM Feature #72 (New): [Roadmap 18][Milestone] Facilitate creation of "meta-sites"

Besides making fixes for sites like Odysee, YouTube, Vimeo, etc., we could also go further and create standalone ephe... koszko

02:46 PM Feature #70 (New): [Roadmap 7][Milestone] Add facility to replace sites' original HTML with custom one

So far we were focusing on writing custom javascript for files. However, we often end up implementing our own site in... koszko

08/01/2021

12:26 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> They must be using a distinct API to load the videos.
Anyway, we only need video name and the first hex digit of... koszko

02:18 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> In case you want to devote some time to improve this fix, here[1] is one video page that doesn't work. I assume it ... jahoti

07/31/2021

11:24 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> You did it- it works!
In case you want to devote some time to improve this fix, here[1] is one video page that d... koszko

11:19 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

Oh, and- while it's definitely not relevant for the preview- I'm working on `pcspecialist.co.uk`.
(the reverted La... jahoti

11:15 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

You did it- it works! Technically the video never actually played on TBB, given how painfully slow the network is, ye... jahoti

11:07 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> I'll do this right now.
No need to hurry - I already have a screenshot sufficient for the preview.
I would be... koszko

10:52 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> No, it's not what I meant :D
> I was referring to "would that need a settings screenshot too". I meant an addition... jahoti

01:16 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> > I don't think this is needed.
>
> OK- I've stripped that out entirely and just left the `ask ubuntu` (is that ... koszko

12:31 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> I don't think this is needed.
OK- I've stripped that out entirely and just left the `ask ubuntu` (is that what y... jahoti

12:22 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> Making `losedows phone exchange` the main `stackexchange` example, and then using `ask ubuntu` to show how Hachette... koszko

02:32 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette

While applying the modifications, I also made some changes to try and differentiate the examples:
* Removing the `ba... jahoti

02:24 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> > One would expect that Google's CSP rule from http-equiv tag would be blocking our injected script - but it doesn'... koszko

11:36 AM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)

Other major ones left are Abrowser, Pure Browser (even though Pure OS by itself is misbehaving), maybe also Brave and... koszko

03:14 AM Feature #37 (Closed): prepare some website fixes usable with this extension

<https://git.koszko.org/hachette_fixes_tmp>
IMO, there's enough fixes available now to consider this complete. jahoti

03:11 AM Feature #64 (Closed): Plan the update system

jahoti

07/30/2021

11:31 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> One would expect that Google's CSP rule from http-equiv tag would be blocking our injected script - but it doesn't.... jahoti

10:56 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> There are only really two small changes I can suggest, which I can make if you want
Go on with all you suggested... koszko

10:49 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> What do you think of the pdf in its current form?
It genuinely looks *amazing*, and the summaries are really eff... jahoti

06:23 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

What do you think of the pdf in its current form?
https://koszko.org/preview.pdf
EDIT: Also, I put all the fi... koszko

06:23 PM Support #68 (In Progress): Prepare some screenshot documenting sites fixed using Hachette

koszko

12:00 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> File attachment here seems to be timing out for me
Probably not really the matter of time. Apache log:
```
[Fr... koszko

10:12 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette

Those are looking good- nevertheless, I'll probably leave styling to you, seeing as I am terrible at it! File attachm... jahoti

07/29/2021

10:14 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

I started composing this attachment as a PDF. I will need to work on the styling, though (or you can do this if you w... koszko

07:33 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

You might also want to look at my new Google sheets fix. The initial portion of the sheet that is served as HTML is s... koszko

03:38 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> That works really well!
Surprising, isn't it?
One would expect that Google's CSP rule from http-equiv <meta> ... koszko

09:21 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette

That works really well!
Unforeseen circumstances meant I haven't done much on this so far, unfortunately; however,... jahoti

07/28/2021

07:19 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> [...] and perhaps write some more (quick and dirty) fixes of various kinds, that might help get the point across ev... koszko

11:09 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette

I think it's a great idea! If we try and get as many browsers as possible too, and perhaps write some more (quick and... jahoti

10:38 AM Support #68 (Closed): Prepare some screenshot documenting sites fixed using Hachette

I thought we could attach some examples of fixed sites in an attachment to the appliction. What do you think about it... koszko

12:18 PM Feature #48: Load default_setting.json using XMLHttpRequest

> > Also, the practice of linking one git repo from another could be useful here.
>
> How do you mean?
https:... koszko

11:11 AM Feature #17: enable the extension to automatically fetch script substitutes from the repo

> By "automatically fetch script substitutes" I don't mean just downloading scripts that have URL+sha256sum provided ... jahoti

09:11 AM Feature #17 (In Progress): enable the extension to automatically fetch script substitutes from the repo

jahoti wrote:
> Hasn't this been addressed?
Actually, I am working on this right now. By "automatically fetch scr... koszko

07:30 AM Feature #17: enable the extension to automatically fetch script substitutes from the repo

Hasn't this been addressed? jahoti

11:06 AM Feature #64: Plan the update system

> EDIT: Actually, I noticed the issue is "Plan the update system", not "implement", so we indeed can discuss this now... jahoti

09:17 AM Feature #64: Plan the update system

> perhaps adding the option to update everything at once too.
That makes sense.
However, to avoid the infrastru... koszko

07:37 AM Feature #64: Plan the update system

Well, I seem to have misremembered some parts of threads and can't find others, which leaves asking a much less plaus... jahoti

09:24 AM Feature #66: Write tests

jahoti wrote:
> Mocking sites is definitely critical, albeit probably better done with a hijacking proxy of some sor... koszko

07:27 AM Feature #66: Write tests

Mocking sites is definitely critical, albeit probably better done with a hijacking proxy of some sort (my words, not ... jahoti

07/27/2021

01:01 PM Bug #53: Interference with existing CSP headers

> > Actually, when scripts are blocked, allowing CSP reports would make no sense because it would be violations of ou... koszko

12:03 PM Bug #53: Interference with existing CSP headers

Firstly, header-signing is working OK on Mozilla. While headers are cached across sessions, the secret is too; unless... jahoti

11:30 AM Bug #53: Interference with existing CSP headers

> > As to CSP violation report blocking - should we do that unconditionally? Perhaps there are some legitimate use ca... koszko

06:45 AM Bug #53: Interference with existing CSP headers

> I just notices one possible problem: what if Mozilla caches headers across browser sessions? If so, our "signing" o... jahoti

11:46 AM Feature #67 (Rejected): Document `common/sanitize_JSON.js`

This 400-line js file in `koszko` branch implements a declarative way of enforcing some format on JSON we parse. Unfo... koszko

07/26/2021

04:13 PM Feature #66 (Closed): Write tests

It seems problematic to test software that is meant to run as a browser extension - and it indeed is, especially when... koszko

12:15 PM Bug #65 (Closed): When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL

koszko

12:13 PM Bug #53: Interference with existing CSP headers

> The patch awaiting merge still doesn't address the CSP we inject *into* the page on Chromium, however. That will re... koszko

09:22 AM Feature #48: Load default_setting.json using XMLHttpRequest

> Not necessarily.
>
> I think reference to how Arch packaging works might be useful here. Arch PKGBUILD script use... jahoti

08:44 AM Feature #48: Load default_setting.json using XMLHttpRequest

> On the other hand, that could prevent offline builds; IDK.
Not necessarily.
I think reference to how Arch pac... koszko

09:15 AM Feature #64: Plan the update system

> How about updating site scripts only when the user visits that site? There would only ever be a single script API r... jahoti

08:52 AM Feature #64: Plan the update system

How about updating site scripts only when the user visits that site? There would only ever be a single script API req... koszko

07/25/2021

09:31 AM Bug #53: Interference with existing CSP headers

The patch awaiting merge still doesn't address the CSP we inject *into* the page on Chromium, however. That will requ... jahoti

09:26 AM Bug #53: Interference with existing CSP headers

Patch committed; awaiting acceptance/rejection from master. While it's difficult to be fully confident it's clear, as... jahoti

09:29 AM Feature #19: check if prerendering has to be blocked

Blocking prefetching (as is done on pages without scripts enabled for <#20>) makes prerendering impossible. While it ... jahoti

09:27 AM Feature #20: block prefetch

This is implemented as part of the patch for #53 (it can be done with CSP). However, I couldn't work out how to test ... jahoti

09:13 AM Feature #64 (Closed): Plan the update system

The most natural approach, especially given what we currently have, would be to request information from the server o... jahoti

08:58 AM Feature #48: Load default_setting.json using XMLHttpRequest

Definitely the latter; moving fixes to the repository first would only be in order to have the build script(s) downlo... jahoti

07/24/2021

08:47 AM Feature #48: Load default_setting.json using XMLHttpRequest

Depends. We can make this issue obsolete and completely move bundled settings to the repo.
Or, after moving most o... koszko

07/23/2021

12:38 AM Feature #48: Load default_setting.json using XMLHttpRequest

Preferrably preceded by: <https://hachettebugs.koszko.org/issues/59> jahoti

12:32 AM Feature #38: Add support to also inject css files to pages

Perhaps part of <https://hachettebugs.koszko.org/boards/1/topics/56>. jahoti

12:13 AM Feature #20 (In Progress): block prefetch

See <https://hachettebugs.koszko.org/issues/53#note-2>. jahoti

12:12 AM Bug #53 (In Progress): Interference with existing CSP headers

A fix is now implemented by parsing CSP headers for direct handling, which also allows removing of directives that re... jahoti

06:27 PM Feature #63 (Closed): Force <noscript> tags on pages where scripts are blocked

Other extensions should already have some code for this koszko

11:57 AM Feature #50 (Closed): Standardize repository APIs/data formats

That seems good, and it's flexible enough (being JSON) to be modified as the system evolves or even if anybody disagr... jahoti

07/22/2021

11:18 AM Feature #50: Standardize repository APIs/data formats

How about a JSON interface? Later on we can simply add more fields to the JSON objects described now. Please tell wha... koszko

07/21/2021

11:48 PM Bug #53: Interference with existing CSP headers

Currently working on this (albeit somewhat slowly). jahoti

04:23 PM Feature #50: Standardize repository APIs/data formats

Related topic: https://hachettebugs.koszko.org/boards/1/topics/56 koszko

04:21 PM Feature #25 (Closed): stop always using the same script nonce on given https(s) site

Ok, this has been merged yesterday koszko

09:18 AM Feature #30 (Closed): Rename the extension and find some good icon 🪓

Merged to master :) koszko

07/20/2021

01:05 AM Feature #30: Rename the extension and find some good icon 🪓

> I pushed it on my branch, waiting for your feedback
It's an emphatic "yes" from me on all counts!
(except Chr... jahoti

12:15 PM Feature #30 (Feedback): Rename the extension and find some good icon 🪓

Chromium rejected SVG icons, so I made it into PNG of various sizes. I automatized this with an sh loop and an inksca... koszko

11:25 AM Bug #54 (Closed): Remote-storage port(s) are disconnected while still in use

koszko

11:25 AM Bug #54: Remote-storage port(s) are disconnected while still in use

Turns out it was a page_info_server error caused by a typo (missed underscore caused some storage change callback not... koszko

10:26 AM Bug #54 (In Progress): Remote-storage port(s) are disconnected while still in use

Yes, I seems to happen exclusively after "View in settings" or "Edit in settings" is used. I now know that I introduc... koszko

07/19/2021

12:01 AM Feature #30: Rename the extension and find some good icon 🪓

Oh yes! That looks great, and after looking through the others I completely agree with picking it. Patch incoming! jahoti

01:12 PM Feature #30: Rename the extension and find some good icon 🪓

How about:
https://publicdomainvectors.org/en/tag/hatchet
Out of those, I personally liek this one the most:
htt... koszko

12:57 PM Feature #30: Rename the extension and find some good icon 🪓

Patches for renaming have been pushed to both the `jahoti` and `nonce-PoC` branches.
All that remains, if that wen... jahoti

09:03 AM Feature #30: Rename the extension and find some good icon 🪓

The renaming part shouldn't take too long jahoti

10:18 AM Feature #27: make extension's all html files proper XHTML

Indeed :) koszko

07/18/2021

07:45 AM Feature #27: make extension's all html files proper XHTML

Actually, not yet- should this be low priority? jahoti

07:42 AM Feature #27 (In Progress): make extension's all html files proper XHTML

Working on this. jahoti

07:41 AM Feature #36: prepare application for NLnet fund

Unassigning myself as it is no longer accurate or reasonable to say only one person is involved with it. jahoti

06:09 AM Bug #54: Remote-storage port(s) are disconnected while still in use

The issue, it turns out, can be reproduced by opening the popup on an unprivileged page and then playing with the set... jahoti

02:46 AM Bug #54: Remote-storage port(s) are disconnected while still in use

> Any additional details as to how to reproduce the error? I guess it must have something to do with closing of the s... jahoti

02:41 AM Feature #25: stop always using the same script nonce on given https(s) site

>> The base URL isn't sent in the settings; instead, if the unique value doesn't match then the listener assumes it c... jahoti

07/17/2021

09:58 PM Bug #54: Remote-storage port(s) are disconnected while still in use

That's possible. I've been fighting these ports also when making the popup page.
Any additional details as to how ... koszko

09:12 AM Bug #54 (Closed): Remote-storage port(s) are disconnected while still in use

Potentially there are other issues with storage, and the situation may not even be limited to Gecko; however, these a... jahoti

02:50 PM Feature #25: stop always using the same script nonce on given https(s) site

> * The base URL isn't sent in the settings; instead, if the unique value doesn't match then the listener assumes it ... koszko

12:52 PM Feature #25: stop always using the same script nonce on given https(s) site

> I was arguing for drawing a salt and deriving the nonce from salt, URL, time and secret.
That makes sense!
> ... jahoti

11:23 AM Feature #25: stop always using the same script nonce on given https(s) site

> Just to check, are you arguing for drawing one random value or a salt and, separately, a nonce?
I was arguing fo... koszko

09:42 AM Feature #25: stop always using the same script nonce on given https(s) site

>> That would be OK- the nonce can be (and is) generated randomly for each request[...]
> And we need either salt or... jahoti

08:33 AM Feature #25: stop always using the same script nonce on given https(s) site

jahoti wrote:
> >> In the current PoC that would still let them whitelist the page entirely
> > Right, I missed tha... koszko

09:09 AM Bug #53 (Closed): Interference with existing CSP headers

Current handling of pre-existing CSP headers needs to be refined:
* Pre-existing http-equiv embeds and actual header... jahoti

09:02 AM Bug #52 (Closed): Headers not updated on cached requests

Thanks for the API suggestions! It turns out the issue was indeed the same as you worked around earlier, and a minor ... jahoti

07/16/2021

12:25 AM Feature #25: stop always using the same script nonce on given https(s) site

>> In the current PoC that would still let them whitelist the page entirely
> Right, I missed that. How about when s... jahoti

12:05 PM Feature #25: stop always using the same script nonce on given https(s) site

> >> Firstly, is there any point in drawing a random salt? It doesn't prevent a replay attack by itself
> > Not if s... koszko

11:32 AM Feature #25: stop always using the same script nonce on given https(s) site

>> Firstly, is there any point in drawing a random salt? It doesn't prevent a replay attack by itself
> Not if someo... jahoti

10:06 AM Feature #25: stop always using the same script nonce on given https(s) site

> Firstly, is there any point in drawing a random salt? It doesn't prevent a replay attack by itself
Not if someon... koszko

09:03 AM Feature #25: stop always using the same script nonce on given https(s) site

> It does actually show up, at least under Chromium, but only for a moment. Or rather it used to show up, before I co... jahoti

09:33 AM Bug #52: Headers not updated on cached requests

There seem to be some APIs for that. The one that reloads a tab while bypassing cache seems to be the most promising:... koszko

09:06 AM Bug #52 (Closed): Headers not updated on cached requests

When a page is loaded from the cache (e.g. after reloading), we don't (can't?) modify the headers. That means, for in... jahoti

07/14/2021

12:16 PM Feature #25: stop always using the same script nonce on given https(s) site

> Unless you get to it first, I'll try implementing it in the next 24 hours.
Go on. I am doing repo stuff right no... koszko

11:27 AM Feature #25: stop always using the same script nonce on given https(s) site

I agree with doing it as a PoC with JSON-encoded settings; that was the idea I meant to communicate, even if (looking... jahoti

09:40 AM Feature #25: stop always using the same script nonce on given https(s) site

> While the details should still be discussed before declaring it finalized
It's still possible to make a proof-of... koszko

07:28 AM Feature #25: stop always using the same script nonce on given https(s) site

> In general, after `#' we can have the unique value used to authenticate the injected string, followed by settings s... jahoti

11:57 AM Feature #36: prepare application for NLnet fund

Slightly adjusted to reflect the fact that there is now a stakeholders (ugh) section, a brief section on technical ch... jahoti

11:47 AM Feature #43 (Rejected): Replace common/sha256.js with crypto.subtle

As per message#49 this is dependent on dropping the use of unfixed verifiers ("unique values"), which is properly a s... jahoti

07/13/2021

12:22 PM Feature #25: stop always using the same script nonce on given https(s) site

> only question is how to fit it alongside the smuggled whitelisting code; do you have a possible scheme?
The whi... koszko

11:46 AM Feature #25: stop always using the same script nonce on given https(s) site

> However, one more thing came to my mind. When rewriting headers, we could also smuggle the random nonce (or better ... jahoti

11:38 AM Feature #25: stop always using the same script nonce on given https(s) site

> > Also, have you thought about deriving HTTP(s) nonce from url, tab id and frame id? This way we would not need to ... koszko

07/12/2021

12:01 AM Feature #25: stop always using the same script nonce on given https(s) site

> I think we should also add some way to forget the nonces that are not going to be used anymore (for example because... jahoti

02:35 PM Feature #25 (In Progress): stop always using the same script nonce on given https(s) site

Merged into master. Honestly, I am neutral towards that unrelated patch.
I think we should also add some way to fo... koszko

07:13 AM Feature #25 (Feedback): stop always using the same script nonce on given https(s) site

jahoti

07:08 AM Feature #25: stop always using the same script nonce on given https(s) site

Patch awaiting acceptance/rejection: testing on Chromium is *critical*, as there is a potential (albeit improbable) r... jahoti

07:14 AM Feature #44 (Resolved): Load in default settings using the build system

jahoti

07:10 AM Feature #44 (Feedback): Load in default settings using the build system

jahoti

07:10 AM Feature #44 (In Progress): Load in default settings using the build system

jahoti

07:09 AM Feature #44 (Feedback): Load in default settings using the build system

jahoti

07/10/2021

01:43 AM Feature #51 (New): [Roadmap 10][Milestone] Support internationalization

The WebExtensions standard includes a system for supporting translation of the extension UI: <https://developer.mozil... jahoti

07/09/2021

05:16 PM Feature #40 (Closed): Move documentation to wiki

jahoti wrote:
> The only issue is a few references to the build system, which treat it as hypothetical;
I think t... koszko

05:05 AM Feature #40 (Feedback): Move documentation to wiki

jahoti