Haketilo

08/27/2021

10:58 AM Feature #79 (Closed): Improve the build script by using awk

Since writing `build.sh` I realized some things could be done a lot easier using awk koszko

10:56 AM Feature #23 (Resolved): also implement support for whitelisting of non-https urls

koszko

10:55 AM Feature #23: also implement support for whitelisting of non-https urls

`ftp://` is now also ready and pushed to this temporary branch. Changes will be merged together with completed Featur... koszko

10:12 AM Feature #23: also implement support for whitelisting of non-https urls

Support for the `file://` protocol is now on the `koszko-smuggle-policy` branch. I re-used the temporarily-unused app... koszko

10:32 AM Support #78 (Rejected): Investigate into how browsers handle files that are not HTML

Our tampering with HTML pages, including rewriting parts of them using the StreamFilter API, might cause problems whe... koszko

10:26 AM Feature #77: Check LibreJS is compatible with this extension.

# History before copying
koszko wrote:
> I assume by compatibility you mean the ability to run side-by-side with ... koszko

10:26 AM Feature #77 (Closed): Check LibreJS is compatible with this extension.

Many swfreedom supporters prefer LibreJS' blocking mechanism. As there's good reason to expect compatability, it woul... koszko

10:07 AM Feature #13: find some way not to require each chrome user to modify manifest.json

Using a synchronous AJAX call from the content script might allow us to use a bundled file as a secret koszko

08/26/2021

03:55 PM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL

> We could use webRequest to remove our cookies from request headers in case they happen to get there
Committed to... koszko

09:54 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts

> I'll try and do this today.
If it turns out to work, you should be able to use StreamFilter code from 6b53d6c840... koszko

08/25/2021

12:07 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts

> I instead implemented a hacky way that uses multiple invocations of DOMParser to find where page's <head> ends so t... jahoti

09:55 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts

I instead implemented a hacky way that uses multiple invocations of DOMParser to find where page's `<head>` ends so t... koszko

08/23/2021

11:56 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts

> I hate web browsers. It all grows waaaay more complex than I expected.
Which then wastes half one's energy remem... jahoti

06:18 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts

> I'll investigate possible workarounds for Mozilla.
I did.
* We can make a HTML on-the-fly "parser" by creating ... koszko

11:14 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts

The code that uses StreamFilter is now on my branch. The remaining issues are worth mentioning:
1. Under Chromium ... koszko

11:17 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL

> > Now there is real danger cookie will not get deleted for some reason and will get sent to server. Anyway, I think... koszko

08/21/2021

08:55 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts

Had some issues again (document created with `DOMParser` can be written to under Chromium but not under IceCat 60). A... koszko

08/20/2021

01:04 PM Feature #15 (In Progress): make sure page's own csp in <head> doesn't block our scripts

> Maybe the *extension* should have been named Hydrilla- whenever one path gets cut off, two more grow in its place :... koszko

11:06 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL

Thanks for pointing out. I'll fix it together with some bigger changes for issue 15 https://hachettebugs.koszko.org/i... koszko

07:20 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL

> EDIT: Newest commit on my branch restores compatibility with IceCat 60. Testing on other browsers still welcome :)
... jahoti

08/19/2021

01:49 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL

> Now there is real danger cookie will not get deleted for some reason and will get sent to server. Anyway, I think t... jahoti

08/18/2021

08:57 PM Support #75 (Rejected): ServiceWorkers

Investigate into Service Workers. Find out if some additional measures need to be taken against them koszko

06:10 PM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL

> Sounds like a winner (and much safer than dealing with the URL fragment)!
It is indeed way more convenient. Safe... koszko

08/17/2021

01:19 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts

> Sad that I already wrote the toughest parts of that one :/
*Sigh* :/
At least you've got something to start w... jahoti

07:50 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts

UPDATE
Bad news (but read on!) - we cannot use `document.write()` this way from content script nor from any `<script... koszko

01:13 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL

Sounds like a winner (and much safer than dealing with the URL fragment)! That said, is there any way to deal with a ... jahoti

07:41 PM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL

We should investigate if we can use `Set-Cookie` header instead of URL for policy smuggling
EDIT: Looks very promi... koszko

08/16/2021

11:24 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts

> I think it will take me a little while to understand exactly what magic you've pulled :).
All that's needed is t... koszko

08/15/2021

12:47 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts

That is genuine genius- I think it will take me a little while to understand exactly what magic you've pulled :). jahoti

09:08 AM Bug #53: Interference with existing CSP headers

No- feel free to delete the csp-PoC branch. jahoti

08/14/2021

01:03 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts

> A spurious `</script>` at the beginning of the document could cause serious issues with my method. There are, howev... koszko

09:42 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts

> > So, in the end, this will not only allow us to modify the offending csp rules but also impose script-blocking and... koszko

03:10 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts

> I started looking for a solution and found out a very good thing. In Chromium at `document_start` we could stop unw... jahoti

10:21 AM Feature #17 (Closed): enable the extension to automatically fetch script substitutes from the repo

Tested with Google Drive fixes. Closing. Documentation will be added at some point. koszko

10:10 AM Bug #53 (Closed): Interference with existing CSP headers

Merged to master. You no longer need the `csp-PoC` branch, do you? koszko

02:25 AM Bug #53: Interference with existing CSP headers

> From what I tested today and yesterday[1], the experimental code in csp-PoC that's responsible for removing the CSP... jahoti

08/13/2021

06:03 PM Feature #29 (Closed): validate settings data on import

I did it as part of https://hachettebugs.koszko.org/issues/17
For now, it's on `koszko` branch koszko

05:23 PM Bug #53: Interference with existing CSP headers

From what I tested today and yesterday[1], the experimental code in csp-PoC that's responsible for removing the CSP `... koszko

05:13 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts

I see you tried to remove the offending `<meta>` csp tags in the csp-PoC branch. Unfortunately, to the extent I teste... koszko

12:51 PM Feature #34: improve CSP injection blocking

Update: we might be able to just inject `<meta>` at the very beginning of the document. Browsers seem to be able to d... koszko

08/06/2021

05:20 PM Feature #17: enable the extension to automatically fetch script substitutes from the repo

I ended up doing quite a lot of changes as prerequisites of this. The seemingly working product is now on my branch.
... koszko

02:42 AM Feature #66: Write tests

> Please for now only focus on things that are not going to change quickly.
I'll make sure to once it gets to tha... jahoti

08/05/2021

12:30 PM Feature #66: Write tests

jahoti wrote:
> This is now off to a (very slow) start.
>
> It's currently in a separate folder to Hachette; shou... koszko

11:47 AM Feature #66: Write tests

This is now off to a (very slow) start.
It's currently in a separate folder to Hachette; should that continue, or ... jahoti

12:15 PM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS

> > Also, perhaps we'd be able to spoof a `Referer: https://example.com/` header by opening `https://example.com/` in... koszko

11:32 AM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS

> Does WebRequest not allow rewriting of [the referer] header?
WebRequest probably does actually; thanks for point... jahoti

08/04/2021

10:19 AM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS

> > BTW, we could also facilitate spoofing of the referer header for similar purposes
>
> Are extensions allowed t... koszko

08/03/2021

11:48 PM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS

> BTW, we could also facilitate spoofing of the referer header for similar purposes
Are extensions allowed to spoo... jahoti

11:29 PM Feature #69: [Roadmap 7][Milestone] Facilitate bundling HTML/XML/JSON and other data with a fix

We definitely need to support this; the question is, as you point out, how. Using the `script` tag is probably an abu... jahoti

08/02/2021

01:19 AM Feature #13: find some way not to require each chrome user to modify manifest.json

Please note that under Manifest V3 in Chrome we'll be able to dynamically register content scripts which might solve ... koszko

12:50 AM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS

BTW, we could also facilitate spoofing of the referer header for similar purposes
EDIT: GreaseMonkey actually has ... koszko

11:49 PM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS

While they're not the **only** use (as outlined in the description), meta-sites will almost certainly be the main app... jahoti

04:09 PM Feature #71 (Closed): [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS

Cross-Origin Resource Sharing (CORS) is a mechanism through which browsers can decide whether a page should or should... koszko

11:51 PM Feature #69: [Roadmap 7][Milestone] Facilitate bundling HTML/XML/JSON and other data with a fix

I've seen this, and will reply later. jahoti

02:44 PM Feature #69 (New): [Roadmap 7][Milestone] Facilitate bundling HTML/XML/JSON and other data with a fix

Consider fixes like that for Google Sheets[^gsheets_script]. They heavily use `document.createElement()` to construct... koszko

11:47 PM Feature #73 (New): [Roadmap 6] Implement a permissions system

This seems to be a common component of several security- and feature-related powers now. It probably deserves a stand... jahoti

11:38 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> Correct assumption [that I'm working on Odyssey]. I should've stated that explicitly
That's OK- it would have be... jahoti

01:18 PM Support #68 (Closed): Prepare some screenshot documenting sites fixed using Hachette

> I've left work on the Odyssey fix to you, on the assumption that you were working on it
Correct assumption. I sh... koszko

11:14 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette

I've left work on the Odyssey fix to you, on the assumption that you were working on it- sorry if I was misunderstand... jahoti

05:00 PM Feature #36 (Closed): prepare application for NLnet fund

koszko

04:24 PM Feature #72 (New): [Roadmap 18][Milestone] Facilitate creation of "meta-sites"

Besides making fixes for sites like Odysee, YouTube, Vimeo, etc., we could also go further and create standalone ephe... koszko

02:46 PM Feature #70 (New): [Roadmap 7][Milestone] Add facility to replace sites' original HTML with custom one

So far we were focusing on writing custom javascript for files. However, we often end up implementing our own site in... koszko

08/01/2021

12:26 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> They must be using a distinct API to load the videos.
Anyway, we only need video name and the first hex digit of... koszko

02:18 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> In case you want to devote some time to improve this fix, here[1] is one video page that doesn't work. I assume it ... jahoti

07/31/2021

11:24 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> You did it- it works!
In case you want to devote some time to improve this fix, here[1] is one video page that d... koszko

11:19 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

Oh, and- while it's definitely not relevant for the preview- I'm working on `pcspecialist.co.uk`.
(the reverted La... jahoti

11:15 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

You did it- it works! Technically the video never actually played on TBB, given how painfully slow the network is, ye... jahoti

11:07 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> I'll do this right now.
No need to hurry - I already have a screenshot sufficient for the preview.
I would be... koszko

10:52 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> No, it's not what I meant :D
> I was referring to "would that need a settings screenshot too". I meant an addition... jahoti

01:16 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> > I don't think this is needed.
>
> OK- I've stripped that out entirely and just left the `ask ubuntu` (is that ... koszko

12:31 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> I don't think this is needed.
OK- I've stripped that out entirely and just left the `ask ubuntu` (is that what y... jahoti

12:22 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> Making `losedows phone exchange` the main `stackexchange` example, and then using `ask ubuntu` to show how Hachette... koszko

02:32 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette

While applying the modifications, I also made some changes to try and differentiate the examples:
* Removing the `ba... jahoti

02:24 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> > One would expect that Google's CSP rule from http-equiv tag would be blocking our injected script - but it doesn'... koszko

11:36 AM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)

Other major ones left are Abrowser, Pure Browser (even though Pure OS by itself is misbehaving), maybe also Brave and... koszko

03:14 AM Feature #37 (Closed): prepare some website fixes usable with this extension

<https://git.koszko.org/hachette_fixes_tmp>
IMO, there's enough fixes available now to consider this complete. jahoti

03:11 AM Feature #64 (Closed): Plan the update system

jahoti

07/30/2021

11:31 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> One would expect that Google's CSP rule from http-equiv tag would be blocking our injected script - but it doesn't.... jahoti

10:56 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> There are only really two small changes I can suggest, which I can make if you want
Go on with all you suggested... koszko

10:49 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> What do you think of the pdf in its current form?
It genuinely looks *amazing*, and the summaries are really eff... jahoti

06:23 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

What do you think of the pdf in its current form?
https://koszko.org/preview.pdf
EDIT: Also, I put all the fi... koszko

06:23 PM Support #68 (In Progress): Prepare some screenshot documenting sites fixed using Hachette

koszko

12:00 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> File attachment here seems to be timing out for me
Probably not really the matter of time. Apache log:
```
[Fr... koszko

10:12 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette

Those are looking good- nevertheless, I'll probably leave styling to you, seeing as I am terrible at it! File attachm... jahoti

07/29/2021

10:14 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

I started composing this attachment as a PDF. I will need to work on the styling, though (or you can do this if you w... koszko

07:33 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

You might also want to look at my new Google sheets fix. The initial portion of the sheet that is served as HTML is s... koszko

03:38 PM Support #68: Prepare some screenshot documenting sites fixed using Hachette

> That works really well!
Surprising, isn't it?
One would expect that Google's CSP rule from http-equiv <meta> ... koszko

09:21 AM Support #68: Prepare some screenshot documenting sites fixed using Hachette

That works really well!
Unforeseen circumstances meant I haven't done much on this so far, unfortunately; however,... jahoti