Project

General

Profile

Activity

From 08/03/2021 to 09/01/2021

09/01/2021

02:18 PM Feature #11: add some nice styling to settings page
Import dialog is now also styled. All that's left is merging to `master` koszko
02:18 PM Feature #49: add some nice styling to popup
Install dialog is now also styled. All that's left is merging to `master` koszko
11:48 AM Feature #49: add some nice styling to popup
This is now also on `koszko-smuggle-policy` branch, except for the install dialog koszko
01:49 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
Did you have any success? koszko

08/31/2021

01:36 PM Feature #83 (New): Also add ability to selectively block other types of content (e.g. fonts)
Google uses fonts sites load from its servers for snooping. Blocking them causes relatively little issues (compared t... koszko
01:32 PM Feature #11: add some nice styling to settings page
Forgot to mention: this has been ready (except for settings import window) on `koszko-smuggle-policy` branch since ye... koszko

08/30/2021

12:13 PM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
## Mobile version considerations
I don't have any Android device to test on, although it might be possible to use ...
koszko
12:02 PM Feature #82 (New): Style extension's pages for mobile usage
koszko
12:00 PM Feature #80 (New): Make Haketilo work with mobile versions of browsers
This is mostly the matter of apropriately styling extension's pages. Unfortunately, a libre mobile browser to test on... koszko

08/28/2021

08:56 AM Support #78: Investigate into how browsers handle files that are not HTML
> As for making sure we only filter relevant data, do any browsers try to guess mime types?
By guessing you mean a...
koszko
03:00 AM Support #78: Investigate into how browsers handle files that are not HTML
For the second point at least, I know NoScript operates on XML (and will check uBlock Origin for similar behavior). W... jahoti
08:48 AM Feature #13: find some way not to require each chrome user to modify manifest.json
> Wouldn't that still require each user to build the extension themselves?
It would. It would just be less hacky t...
koszko
02:54 AM Feature #13: find some way not to require each chrome user to modify manifest.json
> Using a synchronous AJAX call from the content script might allow us to use a bundled file as a secret
Wouldn't ...
jahoti

08/27/2021

10:58 AM Feature #79 (Closed): Improve the build script by using awk
Since writing `build.sh` I realized some things could be done a lot easier using awk koszko
10:56 AM Feature #23 (Resolved): also implement support for whitelisting of non-https urls
koszko
10:55 AM Feature #23: also implement support for whitelisting of non-https urls
`ftp://` is now also ready and pushed to this temporary branch. Changes will be merged together with completed Featur... koszko
10:12 AM Feature #23: also implement support for whitelisting of non-https urls
Support for the `file://` protocol is now on the `koszko-smuggle-policy` branch. I re-used the temporarily-unused app... koszko
10:32 AM Support #78 (Rejected): Investigate into how browsers handle files that are not HTML
Our tampering with HTML pages, including rewriting parts of them using the StreamFilter API, might cause problems whe... koszko
10:26 AM Feature #77: Check LibreJS is compatible with this extension.
# History before copying
koszko wrote:
> I assume by compatibility you mean the ability to run side-by-side with ...
koszko
10:26 AM Feature #77 (Closed): Check LibreJS is compatible with this extension.
Many swfreedom supporters prefer LibreJS' blocking mechanism. As there's good reason to expect compatability, it woul... koszko
10:07 AM Feature #13: find some way not to require each chrome user to modify manifest.json
Using a synchronous AJAX call from the content script might allow us to use a bundled file as a secret koszko

08/26/2021

03:55 PM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
> We could use webRequest to remove our cookies from request headers in case they happen to get there
Committed to...
koszko
09:54 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
> I'll try and do this today.
If it turns out to work, you should be able to use StreamFilter code from 6b53d6c840...
koszko

08/25/2021

12:07 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
> I instead implemented a hacky way that uses multiple invocations of DOMParser to find where page's <head> ends so t... jahoti
09:55 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
I instead implemented a hacky way that uses multiple invocations of DOMParser to find where page's `<head>` ends so t... koszko

08/23/2021

11:56 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
> I hate web browsers. It all grows waaaay more complex than I expected.
Which then wastes half one's energy remem...
jahoti
06:18 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
> I'll investigate possible workarounds for Mozilla.
I did.
* We can make a HTML on-the-fly "parser" by creating ...
koszko
11:14 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
The code that uses StreamFilter is now on my branch. The remaining issues are worth mentioning:
1. Under Chromium ...
koszko
11:17 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
> > Now there is real danger cookie will not get deleted for some reason and will get sent to server. Anyway, I think... koszko

08/21/2021

08:55 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
Had some issues again (document created with `DOMParser` can be written to under Chromium but not under IceCat 60). A... koszko

08/20/2021

01:04 PM Feature #15 (In Progress): make sure page's own csp in <head> doesn't block our scripts
> Maybe the *extension* should have been named Hydrilla- whenever one path gets cut off, two more grow in its place :... koszko
11:06 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
Thanks for pointing out. I'll fix it together with some bigger changes for issue 15 https://hachettebugs.koszko.org/i... koszko
07:20 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
> EDIT: Newest commit on my branch restores compatibility with IceCat 60. Testing on other browsers still welcome :)
...
jahoti

08/19/2021

01:49 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
> Now there is real danger cookie will not get deleted for some reason and will get sent to server. Anyway, I think t... jahoti

08/18/2021

08:57 PM Support #75 (Rejected): ServiceWorkers
Investigate into Service Workers. Find out if some additional measures need to be taken against them koszko
06:10 PM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
> Sounds like a winner (and much safer than dealing with the URL fragment)!
It is indeed way more convenient. Safe...
koszko

08/17/2021

01:19 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
> Sad that I already wrote the toughest parts of that one :/
*Sigh* :/
At least you've got something to start w...
jahoti
07:50 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
UPDATE
Bad news (but read on!) - we cannot use `document.write()` this way from content script nor from any `<script...
koszko
01:13 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
Sounds like a winner (and much safer than dealing with the URL fragment)! That said, is there any way to deal with a ... jahoti
07:41 PM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
We should investigate if we can use `Set-Cookie` header instead of URL for policy smuggling
EDIT: Looks very promi...
koszko

08/16/2021

11:24 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
> I think it will take me a little while to understand exactly what magic you've pulled :).
All that's needed is t...
koszko

08/15/2021

12:47 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
That is genuine genius- I think it will take me a little while to understand exactly what magic you've pulled :). jahoti
09:08 AM Bug #53: Interference with existing CSP headers
No- feel free to delete the csp-PoC branch. jahoti

08/14/2021

01:03 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
> A spurious `</script>` at the beginning of the document could cause serious issues with my method. There are, howev... koszko
09:42 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
> > So, in the end, this will not only allow us to modify the offending csp rules but also impose script-blocking and... koszko
03:10 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
> I started looking for a solution and found out a very good thing. In Chromium at `document_start` we could stop unw... jahoti
10:21 AM Feature #17 (Closed): enable the extension to automatically fetch script substitutes from the repo
Tested with Google Drive fixes. Closing. Documentation will be added at some point. koszko
10:10 AM Bug #53 (Closed): Interference with existing CSP headers
Merged to master. You no longer need the `csp-PoC` branch, do you? koszko
02:25 AM Bug #53: Interference with existing CSP headers
> From what I tested today and yesterday[1], the experimental code in csp-PoC that's responsible for removing the CSP... jahoti

08/13/2021

06:03 PM Feature #29 (Closed): validate settings data on import
I did it as part of https://hachettebugs.koszko.org/issues/17
For now, it's on `koszko` branch
koszko
05:23 PM Bug #53: Interference with existing CSP headers
From what I tested today and yesterday[1], the experimental code in csp-PoC that's responsible for removing the CSP `... koszko
05:13 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
I see you tried to remove the offending `<meta>` csp tags in the csp-PoC branch. Unfortunately, to the extent I teste... koszko
12:51 PM Feature #34: improve CSP injection blocking
Update: we might be able to just inject `<meta>` at the very beginning of the document. Browsers seem to be able to d... koszko

08/06/2021

05:20 PM Feature #17: enable the extension to automatically fetch script substitutes from the repo
I ended up doing quite a lot of changes as prerequisites of this. The seemingly working product is now on my branch.
...
koszko
02:42 AM Feature #66: Write tests
> Please for now only focus on things that are not going to change quickly.
I'll make sure to once it gets to tha...
jahoti

08/05/2021

12:30 PM Feature #66: Write tests
jahoti wrote:
> This is now off to a (very slow) start.
>
> It's currently in a separate folder to Hachette; shou...
koszko
11:47 AM Feature #66: Write tests
This is now off to a (very slow) start.
It's currently in a separate folder to Hachette; should that continue, or ...
jahoti
12:15 PM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
> > Also, perhaps we'd be able to spoof a `Referer: https://example.com/` header by opening `https://example.com/` in... koszko
11:32 AM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
> Does WebRequest not allow rewriting of [the referer] header?
WebRequest probably does actually; thanks for point...
jahoti

08/04/2021

10:19 AM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
> > BTW, we could also facilitate spoofing of the referer header for similar purposes
>
> Are extensions allowed t...
koszko

08/03/2021

11:48 PM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
> BTW, we could also facilitate spoofing of the referer header for similar purposes
Are extensions allowed to spoo...
jahoti
11:29 PM Feature #69: [Roadmap 7][Milestone] Facilitate bundling HTML/XML/JSON and other data with a fix
We definitely need to support this; the question is, as you point out, how. Using the `script` tag is probably an abu... jahoti

08/02/2021

01:19 AM Feature #13: find some way not to require each chrome user to modify manifest.json
Please note that under Manifest V3 in Chrome we'll be able to dynamically register content scripts which might solve ... koszko
12:50 AM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
BTW, we could also facilitate spoofing of the referer header for similar purposes
EDIT: GreaseMonkey actually has ...
koszko
 

Also available in: Atom