Activity
From 07/28/2021 to 08/26/2021
08/26/2021
- 03:55 PM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
- > We could use webRequest to remove our cookies from request headers in case they happen to get there
Committed to... - 03:53 PM Revision 3303d7d7 (haketilo): filter HTTP request headers to remove Hachette cookies in case they slip through
- 11:50 AM Revision 2875397f (haketilo): improve signing\n\nSignature timestamp is now handled in a saner way. Sha256 implementation is no longer pulled in contexts that don't require it.
- 09:54 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > I'll try and do this today.
If it turns out to work, you should be able to use StreamFilter code from 6b53d6c840...
08/25/2021
- 12:07 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > I instead implemented a hacky way that uses multiple invocations of DOMParser to find where page's <head> ends so t...
- 09:55 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- I instead implemented a hacky way that uses multiple invocations of DOMParser to find where page's `<head>` ends so t...
08/23/2021
- 11:56 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > I hate web browsers. It all grows waaaay more complex than I expected.
Which then wastes half one's energy remem... - 06:18 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > I'll investigate possible workarounds for Mozilla.
I did.
* We can make a HTML on-the-fly "parser" by creating ... - 11:14 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- The code that uses StreamFilter is now on my branch. The remaining issues are worth mentioning:
1. Under Chromium ... - 11:17 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
- > > Now there is real danger cookie will not get deleted for some reason and will get sent to server. Anyway, I think...
- 11:05 AM Revision 6b53d6c8 (haketilo): use StreamFilter under Mozilla to prevent csp <meta> tags from blocking our injected scripts
08/22/2021
- 02:00 AM Revision 6c69435c (haketilo): Support a custom certificates directory in test/server.py
- 02:00 AM Revision bb550c36 (haketilo): Incorporate patch for test/gorilla.py
- Patch by Wojtek provides a bundle-all option and only reads Hydrilla files.
08/21/2021
- 08:55 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- Had some issues again (document created with `DOMParser` can be written to under Chromium but not under IceCat 60). A...
08/20/2021
- 01:04 PM Feature #15 (In Progress): make sure page's own csp in <head> doesn't block our scripts
- > Maybe the *extension* should have been named Hydrilla- whenever one path gets cut off, two more grow in its place :...
- 12:57 PM Revision d09b7ee1 (haketilo): sanitize `<meta>' tags containing CSP rules under Chromium
- This commit adds a mechanism of hijacking document when it loads and injecting sanitized nodes to the DOM from the le...
- 11:06 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
- Thanks for pointing out. I'll fix it together with some bigger changes for issue 15 https://hachettebugs.koszko.org/i...
- 07:20 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
- > EDIT: Newest commit on my branch restores compatibility with IceCat 60. Testing on other browsers still welcome :)
...
08/19/2021
- 01:49 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
- > Now there is real danger cookie will not get deleted for some reason and will get sent to server. Anyway, I think t...
08/18/2021
- 08:57 PM Support #75 (Rejected): ServiceWorkers
- Investigate into Service Workers. Find out if some additional measures need to be taken against them
- 08:54 PM Revision 3d0efa15 (haketilo): remove unneeded policy-related cosole messages; restore IceCat 60 compatibility
- 06:10 PM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
- > Sounds like a winner (and much safer than dealing with the URL fragment)!
It is indeed way more convenient. Safe... - 05:53 PM Revision 014f2a2f (haketilo): implement smuggling via cookies instead of URL
- 05:51 PM Revision 0bbda8fc (haketilo): enhance our bundler to protect top-level `this' from accidental clobbering
08/17/2021
- 01:19 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > Sad that I already wrote the toughest parts of that one :/
*Sigh* :/
At least you've got something to start w... - 07:50 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- UPDATE
Bad news (but read on!) - we cannot use `document.write()` this way from content script nor from any `<script... - 01:13 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
- Sounds like a winner (and much safer than dealing with the URL fragment)! That said, is there any way to deal with a ...
- 07:41 PM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
- We should investigate if we can use `Set-Cookie` header instead of URL for policy smuggling
EDIT: Looks very promi... - 02:00 AM Revision 9e280d45 (haketilo): Begin work on a Hydrilla-compatible virtual website for testing
- The file test/gorilla.py will help with testing respositories.
It also provides a CLI Hydrilla > Hachette fix converter. - 02:00 AM Revision e9b7f4d7 (haketilo): Enable the hijacking proxy in the test suite to serve responses
- 02:00 AM Revision 5b7c9edb (haketilo): Merge remote-tracking branch 'origin/master' into jahoti
08/16/2021
- 11:24 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > I think it will take me a little while to understand exactly what magic you've pulled :).
All that's needed is t...
08/15/2021
- 12:47 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- That is genuine genius- I think it will take me a little while to understand exactly what magic you've pulled :).
- 09:08 AM Bug #53: Interference with existing CSP headers
- No- feel free to delete the csp-PoC branch.
08/14/2021
- 01:03 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > A spurious `</script>` at the beginning of the document could cause serious issues with my method. There are, howev...
- 09:42 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > > So, in the end, this will not only allow us to modify the offending csp rules but also impose script-blocking and...
- 03:10 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > I started looking for a solution and found out a very good thing. In Chromium at `document_start` we could stop unw...
- 10:21 AM Feature #17 (Closed): enable the extension to automatically fetch script substitutes from the repo
- Tested with Google Drive fixes. Closing. Documentation will be added at some point.
- 10:10 AM Bug #53 (Closed): Interference with existing CSP headers
- Merged to master. You no longer need the `csp-PoC` branch, do you?
- 02:25 AM Bug #53: Interference with existing CSP headers
- > From what I tested today and yesterday[1], the experimental code in csp-PoC that's responsible for removing the CSP...
- 10:07 AM Revision 443bc095 (haketilo): merge facility to install from Hydrilla
- 09:54 AM Revision ae1844f9 (haketilo): merge csp-PoC
- 02:00 AM Revision 6fda8ea5 (haketilo): Revert changes to content/main.js to commit 25817b68c*
- It turns out modifying the CSP headers in meta tags has no effect.
08/13/2021
- 06:03 PM Feature #29 (Closed): validate settings data on import
- I did it as part of https://hachettebugs.koszko.org/issues/17
For now, it's on `koszko` branch - 05:23 PM Bug #53: Interference with existing CSP headers
- From what I tested today and yesterday[1], the experimental code in csp-PoC that's responsible for removing the CSP `...
- 05:13 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- I see you tried to remove the offending `<meta>` csp tags in the csp-PoC branch. Unfortunately, to the extent I teste...
- 12:51 PM Feature #34: improve CSP injection blocking
- Update: we might be able to just inject `<meta>` at the very beginning of the document. Browsers seem to be able to d...
08/10/2021
08/06/2021
- 05:20 PM Feature #17: enable the extension to automatically fetch script substitutes from the repo
- I ended up doing quite a lot of changes as prerequisites of this. The seemingly working product is now on my branch.
... - 05:17 PM Revision 792fbe18 (haketilo): Facilitate installation of scripts from the repository
- This commit includes:
* removal of page_info_server
* running of storage client in popup context
* extraction of some... - 02:42 AM Feature #66: Write tests
- > Please for now only focus on things that are not going to change quickly.
I'll make sure to once it gets to tha... - 02:00 AM Revision 7796e554 (haketilo): Add the beginnings of a test suite
08/05/2021
- 08:44 PM Revision 90896bcf (haketilo): enable modularization of html files
- 12:30 PM Feature #66: Write tests
- jahoti wrote:
> This is now off to a (very slow) start.
>
> It's currently in a separate folder to Hachette; shou... - 11:47 AM Feature #66: Write tests
- This is now off to a (very slow) start.
It's currently in a separate folder to Hachette; should that continue, or ... - 12:15 PM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
- > > Also, perhaps we'd be able to spoof a `Referer: https://example.com/` header by opening `https://example.com/` in...
- 11:32 AM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
- > Does WebRequest not allow rewriting of [the referer] header?
WebRequest probably does actually; thanks for point...
08/04/2021
- 10:01 PM Revision 5957fbee (haketilo): make settings_query.js use storage object passed as an argument
- 10:19 AM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
- > > BTW, we could also facilitate spoofing of the referer header for similar purposes
>
> Are extensions allowed t...
08/03/2021
- 11:48 PM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
- > BTW, we could also facilitate spoofing of the referer header for similar purposes
Are extensions allowed to spoo... - 11:29 PM Feature #69: [Roadmap 7][Milestone] Facilitate bundling HTML/XML/JSON and other data with a fix
- We definitely need to support this; the question is, as you point out, how. Using the `script` tag is probably an abu...
08/02/2021
- 01:19 AM Feature #13: find some way not to require each chrome user to modify manifest.json
- Please note that under Manifest V3 in Chrome we'll be able to dynamically register content scripts which might solve ...
- 12:50 AM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
- BTW, we could also facilitate spoofing of the referer header for similar purposes
EDIT: GreaseMonkey actually has ... - 11:49 PM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
- While they're not the **only** use (as outlined in the description), meta-sites will almost certainly be the main app...
- 04:09 PM Feature #71 (Closed): [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
- Cross-Origin Resource Sharing (CORS) is a mechanism through which browsers can decide whether a page should or should...
- 11:51 PM Feature #69: [Roadmap 7][Milestone] Facilitate bundling HTML/XML/JSON and other data with a fix
- I've seen this, and will reply later.
- 02:44 PM Feature #69 (New): [Roadmap 7][Milestone] Facilitate bundling HTML/XML/JSON and other data with a fix
- Consider fixes like that for Google Sheets[^gsheets_script]. They heavily use `document.createElement()` to construct...
- 11:47 PM Feature #73 (New): [Roadmap 6] Implement a permissions system
- This seems to be a common component of several security- and feature-related powers now. It probably deserves a stand...
- 11:38 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
- > Correct assumption [that I'm working on Odyssey]. I should've stated that explicitly
That's OK- it would have be... - 01:18 PM Support #68 (Closed): Prepare some screenshot documenting sites fixed using Hachette
- > I've left work on the Odyssey fix to you, on the assumption that you were working on it
Correct assumption. I sh... - 11:14 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette
- I've left work on the Odyssey fix to you, on the assumption that you were working on it- sorry if I was misunderstand...
- 05:00 PM Feature #36 (Closed): prepare application for NLnet fund
- 04:24 PM Feature #72 (New): [Roadmap 18][Milestone] Facilitate creation of "meta-sites"
- Besides making fixes for sites like Odysee, YouTube, Vimeo, etc., we could also go further and create standalone ephe...
- 02:46 PM Feature #70 (New): [Roadmap 7][Milestone] Add facility to replace sites' original HTML with custom one
- So far we were focusing on writing custom javascript for files. However, we often end up implementing our own site in...
- 02:00 AM Revision 5b419aed (haketilo): [UNTESTED- will test] Add filtering for http-equiv CSP headers
08/01/2021
- 12:26 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette
- > They must be using a distinct API to load the videos.
Anyway, we only need video name and the first hex digit of... - 02:18 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette
- > In case you want to devote some time to improve this fix, here[1] is one video page that doesn't work. I assume it ...
07/31/2021
- 11:24 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
- > You did it- it works!
In case you want to devote some time to improve this fix, here[1] is one video page that d... - 11:19 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
- Oh, and- while it's definitely not relevant for the preview- I'm working on `pcspecialist.co.uk`.
(the reverted La... - 11:15 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
- You did it- it works! Technically the video never actually played on TBB, given how painfully slow the network is, ye...
- 11:07 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
- > I'll do this right now.
No need to hurry - I already have a screenshot sufficient for the preview.
I would be... - 10:52 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
- > No, it's not what I meant :D
> I was referring to "would that need a settings screenshot too". I meant an addition... - 01:16 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
- > > I don't think this is needed.
>
> OK- I've stripped that out entirely and just left the `ask ubuntu` (is that ... - 12:31 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
- > I don't think this is needed.
OK- I've stripped that out entirely and just left the `ask ubuntu` (is that what y... - 12:22 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
- > Making `losedows phone exchange` the main `stackexchange` example, and then using `ask ubuntu` to show how Hachette...
- 02:32 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette
- While applying the modifications, I also made some changes to try and differentiate the examples:
* Removing the `ba... - 02:24 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette
- > > One would expect that Google's CSP rule from http-equiv tag would be blocking our injected script - but it doesn'...
- 11:36 AM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
- Other major ones left are Abrowser, Pure Browser (even though Pure OS by itself is misbehaving), maybe also Brave and...
- 03:14 AM Feature #37 (Closed): prepare some website fixes usable with this extension
- <https://git.koszko.org/hachette_fixes_tmp>
IMO, there's enough fixes available now to consider this complete. - 03:11 AM Feature #64 (Closed): Plan the update system
07/30/2021
- 11:31 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
- > One would expect that Google's CSP rule from http-equiv tag would be blocking our injected script - but it doesn't....
- 10:56 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
- > There are only really two small changes I can suggest, which I can make if you want
Go on with all you suggested... - 10:49 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
- > What do you think of the pdf in its current form?
It genuinely looks *amazing*, and the summaries are really eff... - 06:23 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
- What do you think of the pdf in its current form?
https://koszko.org/preview.pdf
EDIT: Also, I put all the fi... - 06:23 PM Support #68 (In Progress): Prepare some screenshot documenting sites fixed using Hachette
- 12:00 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
- > File attachment here seems to be timing out for me
Probably not really the matter of time. Apache log:
```
[Fr... - 10:12 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette
- Those are looking good- nevertheless, I'll probably leave styling to you, seeing as I am terrible at it! File attachm...
07/29/2021
- 10:14 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
- I started composing this attachment as a PDF. I will need to work on the styling, though (or you can do this if you w...
- 07:33 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
- You might also want to look at my new Google sheets fix. The initial portion of the sheet that is served as HTML is s...
- 03:38 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
- > That works really well!
Surprising, isn't it?
One would expect that Google's CSP rule from http-equiv <meta> ... - 09:21 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette
- That works really well!
Unforeseen circumstances meant I haven't done much on this so far, unfortunately; however,...
07/28/2021
- 07:19 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette
- > [...] and perhaps write some more (quick and dirty) fixes of various kinds, that might help get the point across ev...
- 11:09 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette
- I think it's a great idea! If we try and get as many browsers as possible too, and perhaps write some more (quick and...
- 10:38 AM Support #68 (Closed): Prepare some screenshot documenting sites fixed using Hachette
- I thought we could attach some examples of fixed sites in an attachment to the appliction. What do you think about it...
- 12:18 PM Feature #48: Load default_setting.json using XMLHttpRequest
- > > Also, the practice of linking one git repo from another could be useful here.
>
> How do you mean?
https:... - 11:11 AM Feature #17: enable the extension to automatically fetch script substitutes from the repo
- > By "automatically fetch script substitutes" I don't mean just downloading scripts that have URL+sha256sum provided ...
- 09:11 AM Feature #17 (In Progress): enable the extension to automatically fetch script substitutes from the repo
- jahoti wrote:
> Hasn't this been addressed?
Actually, I am working on this right now. By "automatically fetch scr... - 07:30 AM Feature #17: enable the extension to automatically fetch script substitutes from the repo
- Hasn't this been addressed?
- 11:06 AM Feature #64: Plan the update system
- > EDIT: Actually, I noticed the issue is "Plan the update system", not "implement", so we indeed can discuss this now...
- 09:17 AM Feature #64: Plan the update system
- > perhaps adding the option to update everything at once too.
That makes sense.
However, to avoid the infrastru... - 07:37 AM Feature #64: Plan the update system
- Well, I seem to have misremembered some parts of threads and can't find others, which leaves asking a much less plaus...
- 09:24 AM Feature #66: Write tests
- jahoti wrote:
> Mocking sites is definitely critical, albeit probably better done with a hijacking proxy of some sor... - 07:27 AM Feature #66: Write tests
- Mocking sites is definitely critical, albeit probably better done with a hijacking proxy of some sort (my words, not ...
- 02:00 AM Revision 25817b68 (haketilo): Rationalize CSP violation report blocking.
- Report blocking now applies iff scripts are blocked.
Also available in: Atom