Project

General

Profile

Activity

From 07/23/2021 to 08/21/2021

08/21/2021

08:55 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
Had some issues again (document created with `DOMParser` can be written to under Chromium but not under IceCat 60). A... koszko

08/20/2021

01:04 PM Feature #15 (In Progress): make sure page's own csp in <head> doesn't block our scripts
> Maybe the *extension* should have been named Hydrilla- whenever one path gets cut off, two more grow in its place :... koszko
11:06 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
Thanks for pointing out. I'll fix it together with some bigger changes for issue 15 https://hachettebugs.koszko.org/i... koszko
07:20 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
> EDIT: Newest commit on my branch restores compatibility with IceCat 60. Testing on other browsers still welcome :)
...
jahoti

08/19/2021

01:49 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
> Now there is real danger cookie will not get deleted for some reason and will get sent to server. Anyway, I think t... jahoti

08/18/2021

08:57 PM Support #75 (Rejected): ServiceWorkers
Investigate into Service Workers. Find out if some additional measures need to be taken against them koszko
06:10 PM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
> Sounds like a winner (and much safer than dealing with the URL fragment)!
It is indeed way more convenient. Safe...
koszko

08/17/2021

01:19 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
> Sad that I already wrote the toughest parts of that one :/
*Sigh* :/
At least you've got something to start w...
jahoti
07:50 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
UPDATE
Bad news (but read on!) - we cannot use `document.write()` this way from content script nor from any `<script...
koszko
01:13 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
Sounds like a winner (and much safer than dealing with the URL fragment)! That said, is there any way to deal with a ... jahoti
07:41 PM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
We should investigate if we can use `Set-Cookie` header instead of URL for policy smuggling
EDIT: Looks very promi...
koszko

08/16/2021

11:24 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
> I think it will take me a little while to understand exactly what magic you've pulled :).
All that's needed is t...
koszko

08/15/2021

12:47 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
That is genuine genius- I think it will take me a little while to understand exactly what magic you've pulled :). jahoti
09:08 AM Bug #53: Interference with existing CSP headers
No- feel free to delete the csp-PoC branch. jahoti

08/14/2021

01:03 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
> A spurious `</script>` at the beginning of the document could cause serious issues with my method. There are, howev... koszko
09:42 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
> > So, in the end, this will not only allow us to modify the offending csp rules but also impose script-blocking and... koszko
03:10 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
> I started looking for a solution and found out a very good thing. In Chromium at `document_start` we could stop unw... jahoti
10:21 AM Feature #17 (Closed): enable the extension to automatically fetch script substitutes from the repo
Tested with Google Drive fixes. Closing. Documentation will be added at some point. koszko
10:10 AM Bug #53 (Closed): Interference with existing CSP headers
Merged to master. You no longer need the `csp-PoC` branch, do you? koszko
02:25 AM Bug #53: Interference with existing CSP headers
> From what I tested today and yesterday[1], the experimental code in csp-PoC that's responsible for removing the CSP... jahoti

08/13/2021

06:03 PM Feature #29 (Closed): validate settings data on import
I did it as part of https://hachettebugs.koszko.org/issues/17
For now, it's on `koszko` branch
koszko
05:23 PM Bug #53: Interference with existing CSP headers
From what I tested today and yesterday[1], the experimental code in csp-PoC that's responsible for removing the CSP `... koszko
05:13 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
I see you tried to remove the offending `<meta>` csp tags in the csp-PoC branch. Unfortunately, to the extent I teste... koszko
12:51 PM Feature #34: improve CSP injection blocking
Update: we might be able to just inject `<meta>` at the very beginning of the document. Browsers seem to be able to d... koszko

08/06/2021

05:20 PM Feature #17: enable the extension to automatically fetch script substitutes from the repo
I ended up doing quite a lot of changes as prerequisites of this. The seemingly working product is now on my branch.
...
koszko
02:42 AM Feature #66: Write tests
> Please for now only focus on things that are not going to change quickly.
I'll make sure to once it gets to tha...
jahoti

08/05/2021

12:30 PM Feature #66: Write tests
jahoti wrote:
> This is now off to a (very slow) start.
>
> It's currently in a separate folder to Hachette; shou...
koszko
11:47 AM Feature #66: Write tests
This is now off to a (very slow) start.
It's currently in a separate folder to Hachette; should that continue, or ...
jahoti
12:15 PM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
> > Also, perhaps we'd be able to spoof a `Referer: https://example.com/` header by opening `https://example.com/` in... koszko
11:32 AM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
> Does WebRequest not allow rewriting of [the referer] header?
WebRequest probably does actually; thanks for point...
jahoti

08/04/2021

10:19 AM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
> > BTW, we could also facilitate spoofing of the referer header for similar purposes
>
> Are extensions allowed t...
koszko

08/03/2021

11:48 PM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
> BTW, we could also facilitate spoofing of the referer header for similar purposes
Are extensions allowed to spoo...
jahoti
11:29 PM Feature #69: [Roadmap 7][Milestone] Facilitate bundling HTML/XML/JSON and other data with a fix
We definitely need to support this; the question is, as you point out, how. Using the `script` tag is probably an abu... jahoti

08/02/2021

01:19 AM Feature #13: find some way not to require each chrome user to modify manifest.json
Please note that under Manifest V3 in Chrome we'll be able to dynamically register content scripts which might solve ... koszko
12:50 AM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
BTW, we could also facilitate spoofing of the referer header for similar purposes
EDIT: GreaseMonkey actually has ...
koszko
11:49 PM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
While they're not the **only** use (as outlined in the description), meta-sites will almost certainly be the main app... jahoti
04:09 PM Feature #71 (Closed): [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
Cross-Origin Resource Sharing (CORS) is a mechanism through which browsers can decide whether a page should or should... koszko
11:51 PM Feature #69: [Roadmap 7][Milestone] Facilitate bundling HTML/XML/JSON and other data with a fix
I've seen this, and will reply later. jahoti
02:44 PM Feature #69 (New): [Roadmap 7][Milestone] Facilitate bundling HTML/XML/JSON and other data with a fix
Consider fixes like that for Google Sheets[^gsheets_script]. They heavily use `document.createElement()` to construct... koszko
11:47 PM Feature #73 (New): [Roadmap 6] Implement a permissions system
This seems to be a common component of several security- and feature-related powers now. It probably deserves a stand... jahoti
11:38 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> Correct assumption [that I'm working on Odyssey]. I should've stated that explicitly
That's OK- it would have be...
jahoti
01:18 PM Support #68 (Closed): Prepare some screenshot documenting sites fixed using Hachette
> I've left work on the Odyssey fix to you, on the assumption that you were working on it
Correct assumption. I sh...
koszko
11:14 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette
I've left work on the Odyssey fix to you, on the assumption that you were working on it- sorry if I was misunderstand... jahoti
05:00 PM Feature #36 (Closed): prepare application for NLnet fund
koszko
04:24 PM Feature #72 (New): [Roadmap 18][Milestone] Facilitate creation of "meta-sites"
Besides making fixes for sites like Odysee, YouTube, Vimeo, etc., we could also go further and create standalone ephe... koszko
02:46 PM Feature #70 (New): [Roadmap 7][Milestone] Add facility to replace sites' original HTML with custom one
So far we were focusing on writing custom javascript for files. However, we often end up implementing our own site in... koszko

08/01/2021

12:26 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> They must be using a distinct API to load the videos.
Anyway, we only need video name and the first hex digit of...
koszko
02:18 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> In case you want to devote some time to improve this fix, here[1] is one video page that doesn't work. I assume it ... jahoti

07/31/2021

11:24 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> You did it- it works!
In case you want to devote some time to improve this fix, here[1] is one video page that d...
koszko
11:19 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
Oh, and- while it's definitely not relevant for the preview- I'm working on `pcspecialist.co.uk`.
(the reverted La...
jahoti
11:15 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
You did it- it works! Technically the video never actually played on TBB, given how painfully slow the network is, ye... jahoti
11:07 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> I'll do this right now.
No need to hurry - I already have a screenshot sufficient for the preview.
I would be...
koszko
10:52 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> No, it's not what I meant :D
> I was referring to "would that need a settings screenshot too". I meant an addition...
jahoti
01:16 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> > I don't think this is needed.
>
> OK- I've stripped that out entirely and just left the `ask ubuntu` (is that ...
koszko
12:31 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> I don't think this is needed.
OK- I've stripped that out entirely and just left the `ask ubuntu` (is that what y...
jahoti
12:22 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> Making `losedows phone exchange` the main `stackexchange` example, and then using `ask ubuntu` to show how Hachette... koszko
02:32 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette
While applying the modifications, I also made some changes to try and differentiate the examples:
* Removing the `ba...
jahoti
02:24 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> > One would expect that Google's CSP rule from http-equiv tag would be blocking our injected script - but it doesn'... koszko
11:36 AM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
Other major ones left are Abrowser, Pure Browser (even though Pure OS by itself is misbehaving), maybe also Brave and... koszko
03:14 AM Feature #37 (Closed): prepare some website fixes usable with this extension
<https://git.koszko.org/hachette_fixes_tmp>
IMO, there's enough fixes available now to consider this complete.
jahoti
03:11 AM Feature #64 (Closed): Plan the update system
jahoti

07/30/2021

11:31 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> One would expect that Google's CSP rule from http-equiv tag would be blocking our injected script - but it doesn't.... jahoti
10:56 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> There are only really two small changes I can suggest, which I can make if you want
Go on with all you suggested...
koszko
10:49 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> What do you think of the pdf in its current form?
It genuinely looks *amazing*, and the summaries are really eff...
jahoti
06:23 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
What do you think of the pdf in its current form?
https://koszko.org/preview.pdf
EDIT: Also, I put all the fi...
koszko
06:23 PM Support #68 (In Progress): Prepare some screenshot documenting sites fixed using Hachette
koszko
12:00 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> File attachment here seems to be timing out for me
Probably not really the matter of time. Apache log:
```
[Fr...
koszko
10:12 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette
Those are looking good- nevertheless, I'll probably leave styling to you, seeing as I am terrible at it! File attachm... jahoti

07/29/2021

10:14 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
I started composing this attachment as a PDF. I will need to work on the styling, though (or you can do this if you w... koszko
07:33 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
You might also want to look at my new Google sheets fix. The initial portion of the sheet that is served as HTML is s... koszko
03:38 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> That works really well!
Surprising, isn't it?
One would expect that Google's CSP rule from http-equiv <meta> ...
koszko
09:21 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette
That works really well!
Unforeseen circumstances meant I haven't done much on this so far, unfortunately; however,...
jahoti

07/28/2021

07:19 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
> [...] and perhaps write some more (quick and dirty) fixes of various kinds, that might help get the point across ev... koszko
11:09 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette
I think it's a great idea! If we try and get as many browsers as possible too, and perhaps write some more (quick and... jahoti
10:38 AM Support #68 (Closed): Prepare some screenshot documenting sites fixed using Hachette
I thought we could attach some examples of fixed sites in an attachment to the appliction. What do you think about it... koszko
12:18 PM Feature #48: Load default_setting.json using XMLHttpRequest
> > Also, the practice of linking one git repo from another could be useful here.
>
> How do you mean?
https:...
koszko
11:11 AM Feature #17: enable the extension to automatically fetch script substitutes from the repo
> By "automatically fetch script substitutes" I don't mean just downloading scripts that have URL+sha256sum provided ... jahoti
09:11 AM Feature #17 (In Progress): enable the extension to automatically fetch script substitutes from the repo
jahoti wrote:
> Hasn't this been addressed?
Actually, I am working on this right now. By "automatically fetch scr...
koszko
07:30 AM Feature #17: enable the extension to automatically fetch script substitutes from the repo
Hasn't this been addressed? jahoti
11:06 AM Feature #64: Plan the update system
> EDIT: Actually, I noticed the issue is "Plan the update system", not "implement", so we indeed can discuss this now... jahoti
09:17 AM Feature #64: Plan the update system
> perhaps adding the option to update everything at once too.
That makes sense.
However, to avoid the infrastru...
koszko
07:37 AM Feature #64: Plan the update system
Well, I seem to have misremembered some parts of threads and can't find others, which leaves asking a much less plaus... jahoti
09:24 AM Feature #66: Write tests
jahoti wrote:
> Mocking sites is definitely critical, albeit probably better done with a hijacking proxy of some sor...
koszko
07:27 AM Feature #66: Write tests
Mocking sites is definitely critical, albeit probably better done with a hijacking proxy of some sort (my words, not ... jahoti

07/27/2021

01:01 PM Bug #53: Interference with existing CSP headers
> > Actually, when scripts are blocked, allowing CSP reports would make no sense because it would be violations of ou... koszko
12:03 PM Bug #53: Interference with existing CSP headers
Firstly, header-signing is working OK on Mozilla. While headers are cached across sessions, the secret is too; unless... jahoti
11:30 AM Bug #53: Interference with existing CSP headers
> > As to CSP violation report blocking - should we do that unconditionally? Perhaps there are some legitimate use ca... koszko
06:45 AM Bug #53: Interference with existing CSP headers
> I just notices one possible problem: what if Mozilla caches headers across browser sessions? If so, our "signing" o... jahoti
11:46 AM Feature #67 (Rejected): Document `common/sanitize_JSON.js`
This 400-line js file in `koszko` branch implements a declarative way of enforcing some format on JSON we parse. Unfo... koszko

07/26/2021

04:13 PM Feature #66 (Closed): Write tests
It seems problematic to test software that is meant to run as a browser extension - and it indeed is, especially when... koszko
12:15 PM Bug #65 (Closed): When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
koszko
12:13 PM Bug #53: Interference with existing CSP headers
> The patch awaiting merge still doesn't address the CSP we inject *into* the page on Chromium, however. That will re... koszko
09:22 AM Feature #48: Load default_setting.json using XMLHttpRequest
> Not necessarily.
>
> I think reference to how Arch packaging works might be useful here. Arch PKGBUILD script use...
jahoti
08:44 AM Feature #48: Load default_setting.json using XMLHttpRequest
> On the other hand, that could prevent offline builds; IDK.
Not necessarily.
I think reference to how Arch pac...
koszko
09:15 AM Feature #64: Plan the update system
> How about updating site scripts only when the user visits that site? There would only ever be a single script API r... jahoti
08:52 AM Feature #64: Plan the update system
How about updating site scripts only when the user visits that site? There would only ever be a single script API req... koszko

07/25/2021

09:31 AM Bug #53: Interference with existing CSP headers
The patch awaiting merge still doesn't address the CSP we inject *into* the page on Chromium, however. That will requ... jahoti
09:26 AM Bug #53: Interference with existing CSP headers
Patch committed; awaiting acceptance/rejection from master. While it's difficult to be fully confident it's clear, as... jahoti
09:29 AM Feature #19: check if prerendering has to be blocked
Blocking prefetching (as is done on pages without scripts enabled for <#20>) makes prerendering impossible. While it ... jahoti
09:27 AM Feature #20: block prefetch
This is implemented as part of the patch for #53 (it can be done with CSP). However, I couldn't work out how to test ... jahoti
09:13 AM Feature #64 (Closed): Plan the update system
The most natural approach, especially given what we currently have, would be to request information from the server o... jahoti
08:58 AM Feature #48: Load default_setting.json using XMLHttpRequest
Definitely the latter; moving fixes to the repository first would only be in order to have the build script(s) downlo... jahoti

07/24/2021

08:47 AM Feature #48: Load default_setting.json using XMLHttpRequest
Depends. We can make this issue obsolete and completely move bundled settings to the repo.
Or, after moving most o...
koszko

07/23/2021

12:38 AM Feature #48: Load default_setting.json using XMLHttpRequest
Preferrably preceded by: <https://hachettebugs.koszko.org/issues/59> jahoti
12:32 AM Feature #38: Add support to also inject css files to pages
Perhaps part of <https://hachettebugs.koszko.org/boards/1/topics/56>. jahoti
12:13 AM Feature #20 (In Progress): block prefetch
See <https://hachettebugs.koszko.org/issues/53#note-2>. jahoti
12:12 AM Bug #53 (In Progress): Interference with existing CSP headers
A fix is now implemented by parsing CSP headers for direct handling, which also allows removing of directives that re... jahoti
06:27 PM Feature #63 (Closed): Force <noscript> tags on pages where scripts are blocked
Other extensions should already have some code for this koszko
11:57 AM Feature #50 (Closed): Standardize repository APIs/data formats
That seems good, and it's flexible enough (being JSON) to be modified as the system evolves or even if anybody disagr... jahoti
 

Also available in: Atom