Project

General

Profile

Activity

From 07/12/2021 to 08/10/2021

08/10/2021

08:18 PM Revision 2fbab2f0 (haketilo): change default repository URL
koszko

08/06/2021

05:20 PM Feature #17: enable the extension to automatically fetch script substitutes from the repo
I ended up doing quite a lot of changes as prerequisites of this. The seemingly working product is now on my branch.
...
koszko
05:17 PM Revision 792fbe18 (haketilo): Facilitate installation of scripts from the repository
This commit includes:
* removal of page_info_server
* running of storage client in popup context
* extraction of some...
koszko
02:42 AM Feature #66: Write tests
> Please for now only focus on things that are not going to change quickly.
I'll make sure to once it gets to tha...
jahoti
02:00 AM Revision 7796e554 (haketilo): Add the beginnings of a test suite
jahoti

08/05/2021

08:44 PM Revision 90896bcf (haketilo): enable modularization of html files
koszko
12:30 PM Feature #66: Write tests
jahoti wrote:
> This is now off to a (very slow) start.
>
> It's currently in a separate folder to Hachette; shou...
koszko
11:47 AM Feature #66: Write tests
This is now off to a (very slow) start.
It's currently in a separate folder to Hachette; should that continue, or ...
jahoti
12:15 PM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
> > Also, perhaps we'd be able to spoof a `Referer: https://example.com/` header by opening `https://example.com/` in... koszko
11:32 AM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
> Does WebRequest not allow rewriting of [the referer] header?
WebRequest probably does actually; thanks for point...
jahoti

08/04/2021

10:01 PM Revision 5957fbee (haketilo): make settings_query.js use storage object passed as an argument
koszko
10:19 AM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
> > BTW, we could also facilitate spoofing of the referer header for similar purposes
>
> Are extensions allowed t...
koszko

08/03/2021

11:48 PM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
> BTW, we could also facilitate spoofing of the referer header for similar purposes
Are extensions allowed to spoo...
jahoti
11:29 PM Feature #69: [Roadmap 7][Milestone] Facilitate bundling HTML/XML/JSON and other data with a fix
We definitely need to support this; the question is, as you point out, how. Using the `script` tag is probably an abu... jahoti

08/02/2021

01:19 AM Feature #13: find some way not to require each chrome user to modify manifest.json
Please note that under Manifest V3 in Chrome we'll be able to dynamically register content scripts which might solve ... koszko
12:50 AM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
BTW, we could also facilitate spoofing of the referer header for similar purposes
EDIT: GreaseMonkey actually has ...
koszko
11:49 PM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
While they're not the **only** use (as outlined in the description), meta-sites will almost certainly be the main app... jahoti
04:09 PM Feature #71 (Closed): [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
Cross-Origin Resource Sharing (CORS) is a mechanism through which browsers can decide whether a page should or should... koszko
11:51 PM Feature #69: [Roadmap 7][Milestone] Facilitate bundling HTML/XML/JSON and other data with a fix
I've seen this, and will reply later. jahoti
02:44 PM Feature #69 (New): [Roadmap 7][Milestone] Facilitate bundling HTML/XML/JSON and other data with a fix
Consider fixes like that for Google Sheets[^gsheets_script]. They heavily use `document.createElement()` to construct... koszko
11:47 PM Feature #73 (New): [Roadmap 6] Implement a permissions system
This seems to be a common component of several security- and feature-related powers now. It probably deserves a stand... jahoti
11:38 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> Correct assumption [that I'm working on Odyssey]. I should've stated that explicitly
That's OK- it would have be...
jahoti
01:18 PM Support #68 (Closed): Prepare some screenshot documenting sites fixed using Hachette
> I've left work on the Odyssey fix to you, on the assumption that you were working on it
Correct assumption. I sh...
koszko
11:14 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette
I've left work on the Odyssey fix to you, on the assumption that you were working on it- sorry if I was misunderstand... jahoti
05:00 PM Feature #36 (Closed): prepare application for NLnet fund
koszko
04:24 PM Feature #72 (New): [Roadmap 18][Milestone] Facilitate creation of "meta-sites"
Besides making fixes for sites like Odysee, YouTube, Vimeo, etc., we could also go further and create standalone ephe... koszko
02:46 PM Feature #70 (New): [Roadmap 7][Milestone] Add facility to replace sites' original HTML with custom one
So far we were focusing on writing custom javascript for files. However, we often end up implementing our own site in... koszko
02:00 AM Revision 5b419aed (haketilo): [UNTESTED- will test] Add filtering for http-equiv CSP headers
jahoti

08/01/2021

12:26 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> They must be using a distinct API to load the videos.
Anyway, we only need video name and the first hex digit of...
koszko
02:18 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> In case you want to devote some time to improve this fix, here[1] is one video page that doesn't work. I assume it ... jahoti

07/31/2021

11:24 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> You did it- it works!
In case you want to devote some time to improve this fix, here[1] is one video page that d...
koszko
11:19 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
Oh, and- while it's definitely not relevant for the preview- I'm working on `pcspecialist.co.uk`.
(the reverted La...
jahoti
11:15 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
You did it- it works! Technically the video never actually played on TBB, given how painfully slow the network is, ye... jahoti
11:07 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> I'll do this right now.
No need to hurry - I already have a screenshot sufficient for the preview.
I would be...
koszko
10:52 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> No, it's not what I meant :D
> I was referring to "would that need a settings screenshot too". I meant an addition...
jahoti
01:16 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> > I don't think this is needed.
>
> OK- I've stripped that out entirely and just left the `ask ubuntu` (is that ...
koszko
12:31 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> I don't think this is needed.
OK- I've stripped that out entirely and just left the `ask ubuntu` (is that what y...
jahoti
12:22 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> Making `losedows phone exchange` the main `stackexchange` example, and then using `ask ubuntu` to show how Hachette... koszko
02:32 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette
While applying the modifications, I also made some changes to try and differentiate the examples:
* Removing the `ba...
jahoti
02:24 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> > One would expect that Google's CSP rule from http-equiv tag would be blocking our injected script - but it doesn'... koszko
11:36 AM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
Other major ones left are Abrowser, Pure Browser (even though Pure OS by itself is misbehaving), maybe also Brave and... koszko
03:14 AM Feature #37 (Closed): prepare some website fixes usable with this extension
<https://git.koszko.org/hachette_fixes_tmp>
IMO, there's enough fixes available now to consider this complete.
jahoti
03:11 AM Feature #64 (Closed): Plan the update system
jahoti

07/30/2021

11:31 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> One would expect that Google's CSP rule from http-equiv tag would be blocking our injected script - but it doesn't.... jahoti
10:56 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> There are only really two small changes I can suggest, which I can make if you want
Go on with all you suggested...
koszko
10:49 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> What do you think of the pdf in its current form?
It genuinely looks *amazing*, and the summaries are really eff...
jahoti
06:23 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
What do you think of the pdf in its current form?
https://koszko.org/preview.pdf
EDIT: Also, I put all the fi...
koszko
06:23 PM Support #68 (In Progress): Prepare some screenshot documenting sites fixed using Hachette
koszko
12:00 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> File attachment here seems to be timing out for me
Probably not really the matter of time. Apache log:
```
[Fr...
koszko
10:12 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette
Those are looking good- nevertheless, I'll probably leave styling to you, seeing as I am terrible at it! File attachm... jahoti

07/29/2021

10:14 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
I started composing this attachment as a PDF. I will need to work on the styling, though (or you can do this if you w... koszko
07:33 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
You might also want to look at my new Google sheets fix. The initial portion of the sheet that is served as HTML is s... koszko
03:38 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> That works really well!
Surprising, isn't it?
One would expect that Google's CSP rule from http-equiv <meta> ...
koszko
09:21 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette
That works really well!
Unforeseen circumstances meant I haven't done much on this so far, unfortunately; however,...
jahoti

07/28/2021

07:19 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> [...] and perhaps write some more (quick and dirty) fixes of various kinds, that might help get the point across ev... koszko
11:09 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette
I think it's a great idea! If we try and get as many browsers as possible too, and perhaps write some more (quick and... jahoti
10:38 AM Support #68 (Closed): Prepare some screenshot documenting sites fixed using Hachette
I thought we could attach some examples of fixed sites in an attachment to the appliction. What do you think about it... koszko
12:18 PM Feature #48: Load default_setting.json using XMLHttpRequest
> > Also, the practice of linking one git repo from another could be useful here.
>
> How do you mean?
https:...
koszko
11:11 AM Feature #17: enable the extension to automatically fetch script substitutes from the repo
> By "automatically fetch script substitutes" I don't mean just downloading scripts that have URL+sha256sum provided ... jahoti
09:11 AM Feature #17 (In Progress): enable the extension to automatically fetch script substitutes from the repo
jahoti wrote:
> Hasn't this been addressed?
Actually, I am working on this right now. By "automatically fetch scr...
koszko
07:30 AM Feature #17: enable the extension to automatically fetch script substitutes from the repo
Hasn't this been addressed? jahoti
11:06 AM Feature #64: Plan the update system
> EDIT: Actually, I noticed the issue is "Plan the update system", not "implement", so we indeed can discuss this now... jahoti
09:17 AM Feature #64: Plan the update system
> perhaps adding the option to update everything at once too.
That makes sense.
However, to avoid the infrastru...
koszko
07:37 AM Feature #64: Plan the update system
Well, I seem to have misremembered some parts of threads and can't find others, which leaves asking a much less plaus... jahoti
09:24 AM Feature #66: Write tests
jahoti wrote:
> Mocking sites is definitely critical, albeit probably better done with a hijacking proxy of some sor...
koszko
07:27 AM Feature #66: Write tests
Mocking sites is definitely critical, albeit probably better done with a hijacking proxy of some sort (my words, not ... jahoti
02:00 AM Revision 25817b68 (haketilo): Rationalize CSP violation report blocking.
Report blocking now applies iff scripts are blocked. jahoti

07/27/2021

01:01 PM Bug #53: Interference with existing CSP headers
> > Actually, when scripts are blocked, allowing CSP reports would make no sense because it would be violations of ou... koszko
12:03 PM Bug #53: Interference with existing CSP headers
Firstly, header-signing is working OK on Mozilla. While headers are cached across sessions, the secret is too; unless... jahoti
11:30 AM Bug #53: Interference with existing CSP headers
> > As to CSP violation report blocking - should we do that unconditionally? Perhaps there are some legitimate use ca... koszko
06:45 AM Bug #53: Interference with existing CSP headers
> I just notices one possible problem: what if Mozilla caches headers across browser sessions? If so, our "signing" o... jahoti
11:46 AM Feature #67 (Rejected): Document `common/sanitize_JSON.js`
This 400-line js file in `koszko` branch implements a declarative way of enforcing some format on JSON we parse. Unfo... koszko
11:41 AM Revision 2fa41a54 (haketilo): validate settings on import
koszko

07/26/2021

04:13 PM Feature #66 (Closed): Write tests
It seems problematic to test software that is meant to run as a browser extension - and it indeed is, especially when... koszko
01:37 PM Revision 64afd5b9 (haketilo): provide a facility to sanitize externally-obtained JSON
koszko
12:15 PM Bug #65 (Closed): When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
koszko
12:13 PM Bug #53: Interference with existing CSP headers
> The patch awaiting merge still doesn't address the CSP we inject *into* the page on Chromium, however. That will re... koszko
12:10 PM Revision 5fcc9808 (haketilo): code maintenance
koszko
11:09 AM Revision 97b8e30f (haketilo): Squash more CSP-filtering bugs
On Firefox, original CSP headers are now smuggled (signed) in an x-orig-csp
header to prevent re-processing issues wi...
jahoti
11:09 AM Revision e402e036 (haketilo): Fix some bugs in the refined CSP handling
jahoti
11:09 AM Revision fba4820b (haketilo): [UNTESTED- will test] Use more nuanced CSP filtering
CSP headers are now parsed and processed, rather than treated as simple
units. This allows us to ensure policies deli...
jahoti
11:09 AM Revision 57e4ed2b (haketilo): Remove unnecessary imports of url_item and add a CSP header-parsing function
The parsing function isn't used yet; however, it will eventually be as a less
destructive alternative to handling hea...
jahoti
09:22 AM Feature #48: Load default_setting.json using XMLHttpRequest
> Not necessarily.
>
> I think reference to how Arch packaging works might be useful here. Arch PKGBUILD script use...
jahoti
08:44 AM Feature #48: Load default_setting.json using XMLHttpRequest
> On the other hand, that could prevent offline builds; IDK.
Not necessarily.
I think reference to how Arch pac...
koszko
09:15 AM Feature #64: Plan the update system
> How about updating site scripts only when the user visits that site? There would only ever be a single script API r... jahoti
08:52 AM Feature #64: Plan the update system
How about updating site scripts only when the user visits that site? There would only ever be a single script API req... koszko

07/25/2021

09:31 AM Bug #53: Interference with existing CSP headers
The patch awaiting merge still doesn't address the CSP we inject *into* the page on Chromium, however. That will requ... jahoti
09:26 AM Bug #53: Interference with existing CSP headers
Patch committed; awaiting acceptance/rejection from master. While it's difficult to be fully confident it's clear, as... jahoti
09:29 AM Feature #19: check if prerendering has to be blocked
Blocking prefetching (as is done on pages without scripts enabled for <#20>) makes prerendering impossible. While it ... jahoti
09:27 AM Feature #20: block prefetch
This is implemented as part of the patch for #53 (it can be done with CSP). However, I couldn't work out how to test ... jahoti
09:13 AM Feature #64 (Closed): Plan the update system
The most natural approach, especially given what we currently have, would be to request information from the server o... jahoti
08:58 AM Feature #48: Load default_setting.json using XMLHttpRequest
Definitely the latter; moving fixes to the repository first would only be in order to have the build script(s) downlo... jahoti
02:00 AM Revision 24ad876c (haketilo): Squash more CSP-filtering bugs
On Firefox, original CSP headers are now smuggled (signed) in an x-orig-csp
header to prevent re-processing issues wi...
jahoti

07/24/2021

08:47 AM Feature #48: Load default_setting.json using XMLHttpRequest
Depends. We can make this issue obsolete and completely move bundled settings to the repo.
Or, after moving most o...
koszko

07/23/2021

12:38 AM Feature #48: Load default_setting.json using XMLHttpRequest
Preferrably preceded by: <https://hachettebugs.koszko.org/issues/59> jahoti
12:32 AM Feature #38: Add support to also inject css files to pages
Perhaps part of <https://hachettebugs.koszko.org/boards/1/topics/56>. jahoti
12:13 AM Feature #20 (In Progress): block prefetch
See <https://hachettebugs.koszko.org/issues/53#note-2>. jahoti
12:12 AM Bug #53 (In Progress): Interference with existing CSP headers
A fix is now implemented by parsing CSP headers for direct handling, which also allows removing of directives that re... jahoti
06:27 PM Feature #63 (Closed): Force <noscript> tags on pages where scripts are blocked
Other extensions should already have some code for this koszko
05:32 PM Revision d42dadca (haketilo): extract observables implementation from storage.js
koszko
11:57 AM Feature #50 (Closed): Standardize repository APIs/data formats
That seems good, and it's flexible enough (being JSON) to be modified as the system evolves or even if anybody disagr... jahoti

07/22/2021

11:18 AM Feature #50: Standardize repository APIs/data formats
How about a JSON interface? Later on we can simply add more fields to the JSON objects described now. Please tell wha... koszko
02:00 AM Revision 77139a6f (haketilo): Fix some bugs in the refined CSP handling
jahoti

07/21/2021

11:48 PM Bug #53: Interference with existing CSP headers
Currently working on this (albeit somewhat slowly). jahoti
10:00 PM Revision c483ae19 (haketilo): add ability to query page content from repo and display it in the popup
koszko
05:42 PM Revision 5c685518 (haketilo): store repository URLs in settings
koszko
05:40 PM Revision fb9c808c (haketilo): remove unused variables
koszko
04:23 PM Feature #50: Standardize repository APIs/data formats
Related topic: https://hachettebugs.koszko.org/boards/1/topics/56 koszko
04:21 PM Feature #25 (Closed): stop always using the same script nonce on given https(s) site
Ok, this has been merged yesterday koszko
09:18 AM Feature #30 (Closed): Rename the extension and find some good icon ๐Ÿช“
Merged to master :) koszko
02:00 AM Revision 57b80d72 (haketilo): [UNTESTED- will test] Use more nuanced CSP filtering
CSP headers are now parsed and processed, rather than treated as simple
units. This allows us to ensure policies deli...
jahoti
02:00 AM Revision efce4e98 (haketilo): Merge remote-tracking branch 'origin/koszko' into jahoti
jahoti
02:00 AM Revision efd6ae83 (haketilo): Remove unnecessary imports of url_item and add a CSP header-parsing function
The parsing function isn't used yet; however, it will eventually be as a less
destructive alternative to handling hea...
jahoti

07/20/2021

01:05 AM Feature #30: Rename the extension and find some good icon ๐Ÿช“
> I pushed it on my branch, waiting for your feedback
It's an emphatic "yes" from me on all counts!
(except Chr...
jahoti
12:15 PM Feature #30 (Feedback): Rename the extension and find some good icon ๐Ÿช“
Chromium rejected SVG icons, so I made it into PNG of various sizes. I automatized this with an sh loop and an inksca... koszko
12:03 PM Revision 081739e7 (haketilo): Merge rebranding to "Hachette"
koszko
11:25 AM Bug #54 (Closed): Remote-storage port(s) are disconnected while still in use
koszko
11:25 AM Bug #54: Remote-storage port(s) are disconnected while still in use
Turns out it was a page_info_server error caused by a typo (missed underscore caused some storage change callback not... koszko
10:26 AM Bug #54 (In Progress): Remote-storage port(s) are disconnected while still in use
Yes, I seems to happen exclusively after "View in settings" or "Edit in settings" is used. I now know that I introduc... koszko
11:20 AM Revision 82836b92 (haketilo): fix options_main.js bugs
koszko
11:19 AM Revision 9e26b71e (haketilo): fix page info server bugs
koszko
10:17 AM Revision 0c7c1ebd (haketilo): Merge commit 'ecb787046271de708b94da70240713e725299d86'
koszko

07/19/2021

12:01 AM Feature #30: Rename the extension and find some good icon ๐Ÿช“
Oh yes! That looks great, and after looking through the others I completely agree with picking it. Patch incoming! jahoti
01:12 PM Feature #30: Rename the extension and find some good icon ๐Ÿช“
How about:
https://publicdomainvectors.org/en/tag/hatchet
Out of those, I personally liek this one the most:
htt...
koszko
12:57 PM Feature #30: Rename the extension and find some good icon ๐Ÿช“
Patches for renaming have been pushed to both the `jahoti` and `nonce-PoC` branches.
All that remains, if that wen...
jahoti
09:03 AM Feature #30: Rename the extension and find some good icon ๐Ÿช“
The renaming part shouldn't take too long jahoti
10:18 AM Feature #27: make extension's all html files proper XHTML
Indeed :) koszko
02:00 AM Revision 97f683e2 (haketilo): Change the icon
jahoti
02:00 AM Revision 6b12a034 (haketilo): Refer to the extension consistently as "Hachette" and remove TODOS.org
from the copyright file jahoti

07/18/2021

07:45 AM Feature #27: make extension's all html files proper XHTML
Actually, not yet- should this be low priority? jahoti
07:42 AM Feature #27 (In Progress): make extension's all html files proper XHTML
Working on this. jahoti
07:41 AM Feature #36: prepare application for NLnet fund
Unassigning myself as it is no longer accurate or reasonable to say only one person is involved with it. jahoti
06:09 AM Bug #54: Remote-storage port(s) are disconnected while still in use
The issue, it turns out, can be reproduced by opening the popup on an unprivileged page and then playing with the set... jahoti
02:46 AM Bug #54: Remote-storage port(s) are disconnected while still in use
> Any additional details as to how to reproduce the error? I guess it must have something to do with closing of the s... jahoti
02:41 AM Feature #25: stop always using the same script nonce on given https(s) site
>> The base URL isn't sent in the settings; instead, if the unique value doesn't match then the listener assumes it c... jahoti
02:00 AM Revision ecb78704 (haketilo): Streamline and harden unique values/settings
The base URL is now included in the settings. The unique value no longer uses
it directly, as it is included by virtu...
jahoti

07/17/2021

09:58 PM Bug #54: Remote-storage port(s) are disconnected while still in use
That's possible. I've been fighting these ports also when making the popup page.
Any additional details as to how ...
koszko
09:12 AM Bug #54 (Closed): Remote-storage port(s) are disconnected while still in use
Potentially there are other issues with storage, and the situation may not even be limited to Gecko; however, these a... jahoti
02:50 PM Feature #25: stop always using the same script nonce on given https(s) site
> * The base URL isn't sent in the settings; instead, if the unique value doesn't match then the listener assumes it ... koszko
12:52 PM Feature #25: stop always using the same script nonce on given https(s) site
> I was arguing for drawing a salt and deriving the nonce from salt, URL, time and secret.
That makes sense!
> ...
jahoti
11:23 AM Feature #25: stop always using the same script nonce on given https(s) site
> Just to check, are you arguing for drawing one random value or a salt and, separately, a nonce?
I was arguing fo...
koszko
09:42 AM Feature #25: stop always using the same script nonce on given https(s) site
>> That would be OK- the nonce can be (and is) generated randomly for each request[...]
> And we need either salt or...
jahoti
08:33 AM Feature #25: stop always using the same script nonce on given https(s) site
jahoti wrote:
> >> In the current PoC that would still let them whitelist the page entirely
> > Right, I missed tha...
koszko
09:09 AM Bug #53 (Closed): Interference with existing CSP headers
Current handling of pre-existing CSP headers needs to be refined:
* Pre-existing http-equiv embeds and actual header...
jahoti
09:02 AM Bug #52 (Closed): Headers not updated on cached requests
Thanks for the API suggestions! It turns out the issue was indeed the same as you worked around earlier, and a minor ... jahoti
02:00 AM Revision 8b823e1a (haketilo): Revamp signatures and break header caching on FF
Signatures, instead of consisting of the secure salt followed by the unique
value generated from the URL, are now the...
jahoti

07/16/2021

12:25 AM Feature #25: stop always using the same script nonce on given https(s) site
>> In the current PoC that would still let them whitelist the page entirely
> Right, I missed that. How about when s...
jahoti
12:05 PM Feature #25: stop always using the same script nonce on given https(s) site
> >> Firstly, is there any point in drawing a random salt? It doesn't prevent a replay attack by itself
> > Not if s...
koszko
11:32 AM Feature #25: stop always using the same script nonce on given https(s) site
>> Firstly, is there any point in drawing a random salt? It doesn't prevent a replay attack by itself
> Not if someo...
jahoti
10:06 AM Feature #25: stop always using the same script nonce on given https(s) site
> Firstly, is there any point in drawing a random salt? It doesn't prevent a replay attack by itself
Not if someon...
koszko
09:03 AM Feature #25: stop always using the same script nonce on given https(s) site
> It does actually show up, at least under Chromium, but only for a moment. Or rather it used to show up, before I co... jahoti
09:33 AM Bug #52: Headers not updated on cached requests
There seem to be some APIs for that. The one that reloads a tab while bypassing cache seems to be the most promising:... koszko
09:06 AM Bug #52 (Closed): Headers not updated on cached requests
When a page is loaded from the cache (e.g. after reloading), we don't (can't?) modify the headers. That means, for in... jahoti
02:00 AM Revision 692577bb (haketilo): Use URL-based policy smuggling
Increase the power of URL-based smuggling by making it (effectively)
compulsory in all cases and adapting a <salt><un...
jahoti

07/14/2021

12:16 PM Feature #25: stop always using the same script nonce on given https(s) site
> Unless you get to it first, I'll try implementing it in the next 24 hours.
Go on. I am doing repo stuff right no...
koszko
11:27 AM Feature #25: stop always using the same script nonce on given https(s) site
I agree with doing it as a PoC with JSON-encoded settings; that was the idea I meant to communicate, even if (looking... jahoti
09:40 AM Feature #25: stop always using the same script nonce on given https(s) site
> While the details should still be discussed before declaring it finalized
It's still possible to make a proof-of...
koszko
07:28 AM Feature #25: stop always using the same script nonce on given https(s) site
> In general, after `#' we can have the unique value used to authenticate the injected string, followed by settings s... jahoti
11:57 AM Feature #36: prepare application for NLnet fund
Slightly adjusted to reflect the fact that there is now a stakeholders (ugh) section, a brief section on technical ch... jahoti
11:47 AM Feature #43 (Rejected): Replace common/sha256.js with crypto.subtle
As per message#49 this is dependent on dropping the use of unfixed verifiers ("unique values"), which is properly a s... jahoti

07/13/2021

12:22 PM Feature #25: stop always using the same script nonce on given https(s) site
> only question is how to fit it alongside the smuggled whitelisting code; do you have a possible scheme?
The whi...
koszko
11:46 AM Feature #25: stop always using the same script nonce on given https(s) site
> However, one more thing came to my mind. When rewriting headers, we could also smuggle the random nonce (or better ... jahoti
11:38 AM Feature #25: stop always using the same script nonce on given https(s) site
> > Also, have you thought about deriving HTTP(s) nonce from url, tab id and frame id? This way we would not need to ... koszko

07/12/2021

12:01 AM Feature #25: stop always using the same script nonce on given https(s) site
> I think we should also add some way to forget the nonces that are not going to be used anymore (for example because... jahoti
02:35 PM Feature #25 (In Progress): stop always using the same script nonce on given https(s) site
Merged into master. Honestly, I am neutral towards that unrelated patch.
I think we should also add some way to fo...
koszko
07:13 AM Feature #25 (Feedback): stop always using the same script nonce on given https(s) site
jahoti
07:08 AM Feature #25: stop always using the same script nonce on given https(s) site
Patch awaiting acceptance/rejection: testing on Chromium is *critical*, as there is a potential (albeit improbable) r... jahoti
02:22 PM Revision 1789f174 (haketilo): merge jahoti into master
koszko
07:14 AM Feature #44 (Resolved): Load in default settings using the build system
jahoti
07:10 AM Feature #44 (Feedback): Load in default settings using the build system
jahoti
07:10 AM Feature #44 (In Progress): Load in default settings using the build system
jahoti
07:09 AM Feature #44 (Feedback): Load in default settings using the build system
jahoti
02:00 AM Revision dcfc78b0 (haketilo): Stop using the nonce consistently for a URL
Nonces are now randomly generated, either in the page (for non-HTTP(S) pages)
or by a background module which stores ...
jahoti
 

Also available in: Atom