Activity
From 08/03/2021 to 09/01/2021
09/01/2021
- 02:18 PM Feature #11: add some nice styling to settings page
- Import dialog is now also styled. All that's left is merging to `master`
- 02:18 PM Feature #49: add some nice styling to popup
- Install dialog is now also styled. All that's left is merging to `master`
- 11:48 AM Feature #49: add some nice styling to popup
- This is now also on `koszko-smuggle-policy` branch, except for the install dialog
- 01:49 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- Did you have any success?
08/31/2021
- 01:36 PM Feature #83 (New): Also add ability to selectively block other types of content (e.g. fonts)
- Google uses fonts sites load from its servers for snooping. Blocking them causes relatively little issues (compared t...
- 01:32 PM Feature #11: add some nice styling to settings page
- Forgot to mention: this has been ready (except for settings import window) on `koszko-smuggle-policy` branch since ye...
08/30/2021
- 12:13 PM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
- ## Mobile version considerations
I don't have any Android device to test on, although it might be possible to use ... - 12:02 PM Feature #82 (New): Style extension's pages for mobile usage
- 12:00 PM Feature #80 (New): Make Haketilo work with mobile versions of browsers
- This is mostly the matter of apropriately styling extension's pages. Unfortunately, a libre mobile browser to test on...
08/28/2021
- 08:56 AM Support #78: Investigate into how browsers handle files that are not HTML
- > As for making sure we only filter relevant data, do any browsers try to guess mime types?
By guessing you mean a... - 03:00 AM Support #78: Investigate into how browsers handle files that are not HTML
- For the second point at least, I know NoScript operates on XML (and will check uBlock Origin for similar behavior). W...
- 08:48 AM Feature #13: find some way not to require each chrome user to modify manifest.json
- > Wouldn't that still require each user to build the extension themselves?
It would. It would just be less hacky t... - 02:54 AM Feature #13: find some way not to require each chrome user to modify manifest.json
- > Using a synchronous AJAX call from the content script might allow us to use a bundled file as a secret
Wouldn't ...
08/27/2021
- 10:58 AM Feature #79 (Closed): Improve the build script by using awk
- Since writing `build.sh` I realized some things could be done a lot easier using awk
- 10:56 AM Feature #23 (Resolved): also implement support for whitelisting of non-https urls
- 10:55 AM Feature #23: also implement support for whitelisting of non-https urls
- `ftp://` is now also ready and pushed to this temporary branch. Changes will be merged together with completed Featur...
- 10:12 AM Feature #23: also implement support for whitelisting of non-https urls
- Support for the `file://` protocol is now on the `koszko-smuggle-policy` branch. I re-used the temporarily-unused app...
- 10:32 AM Support #78 (Rejected): Investigate into how browsers handle files that are not HTML
- Our tampering with HTML pages, including rewriting parts of them using the StreamFilter API, might cause problems whe...
- 10:26 AM Feature #77: Check LibreJS is compatible with this extension.
- # History before copying
koszko wrote:
> I assume by compatibility you mean the ability to run side-by-side with ... - 10:26 AM Feature #77 (Closed): Check LibreJS is compatible with this extension.
- Many swfreedom supporters prefer LibreJS' blocking mechanism. As there's good reason to expect compatability, it woul...
- 10:07 AM Feature #13: find some way not to require each chrome user to modify manifest.json
- Using a synchronous AJAX call from the content script might allow us to use a bundled file as a secret
08/26/2021
- 03:55 PM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
- > We could use webRequest to remove our cookies from request headers in case they happen to get there
Committed to... - 09:54 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > I'll try and do this today.
If it turns out to work, you should be able to use StreamFilter code from 6b53d6c840...
08/25/2021
- 12:07 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > I instead implemented a hacky way that uses multiple invocations of DOMParser to find where page's <head> ends so t...
- 09:55 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- I instead implemented a hacky way that uses multiple invocations of DOMParser to find where page's `<head>` ends so t...
08/23/2021
- 11:56 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > I hate web browsers. It all grows waaaay more complex than I expected.
Which then wastes half one's energy remem... - 06:18 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > I'll investigate possible workarounds for Mozilla.
I did.
* We can make a HTML on-the-fly "parser" by creating ... - 11:14 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- The code that uses StreamFilter is now on my branch. The remaining issues are worth mentioning:
1. Under Chromium ... - 11:17 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
- > > Now there is real danger cookie will not get deleted for some reason and will get sent to server. Anyway, I think...
08/21/2021
- 08:55 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- Had some issues again (document created with `DOMParser` can be written to under Chromium but not under IceCat 60). A...
08/20/2021
- 01:04 PM Feature #15 (In Progress): make sure page's own csp in <head> doesn't block our scripts
- > Maybe the *extension* should have been named Hydrilla- whenever one path gets cut off, two more grow in its place :...
- 11:06 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
- Thanks for pointing out. I'll fix it together with some bigger changes for issue 15 https://hachettebugs.koszko.org/i...
- 07:20 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
- > EDIT: Newest commit on my branch restores compatibility with IceCat 60. Testing on other browsers still welcome :)
...
08/19/2021
- 01:49 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
- > Now there is real danger cookie will not get deleted for some reason and will get sent to server. Anyway, I think t...
08/18/2021
- 08:57 PM Support #75 (Rejected): ServiceWorkers
- Investigate into Service Workers. Find out if some additional measures need to be taken against them
- 06:10 PM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
- > Sounds like a winner (and much safer than dealing with the URL fragment)!
It is indeed way more convenient. Safe...
08/17/2021
- 01:19 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > Sad that I already wrote the toughest parts of that one :/
*Sigh* :/
At least you've got something to start w... - 07:50 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- UPDATE
Bad news (but read on!) - we cannot use `document.write()` this way from content script nor from any `<script... - 01:13 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
- Sounds like a winner (and much safer than dealing with the URL fragment)! That said, is there any way to deal with a ...
- 07:41 PM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
- We should investigate if we can use `Set-Cookie` header instead of URL for policy smuggling
EDIT: Looks very promi...
08/16/2021
- 11:24 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > I think it will take me a little while to understand exactly what magic you've pulled :).
All that's needed is t...
08/15/2021
- 12:47 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- That is genuine genius- I think it will take me a little while to understand exactly what magic you've pulled :).
- 09:08 AM Bug #53: Interference with existing CSP headers
- No- feel free to delete the csp-PoC branch.
08/14/2021
- 01:03 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > A spurious `</script>` at the beginning of the document could cause serious issues with my method. There are, howev...
- 09:42 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > > So, in the end, this will not only allow us to modify the offending csp rules but also impose script-blocking and...
- 03:10 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > I started looking for a solution and found out a very good thing. In Chromium at `document_start` we could stop unw...
- 10:21 AM Feature #17 (Closed): enable the extension to automatically fetch script substitutes from the repo
- Tested with Google Drive fixes. Closing. Documentation will be added at some point.
- 10:10 AM Bug #53 (Closed): Interference with existing CSP headers
- Merged to master. You no longer need the `csp-PoC` branch, do you?
- 02:25 AM Bug #53: Interference with existing CSP headers
- > From what I tested today and yesterday[1], the experimental code in csp-PoC that's responsible for removing the CSP...
08/13/2021
- 06:03 PM Feature #29 (Closed): validate settings data on import
- I did it as part of https://hachettebugs.koszko.org/issues/17
For now, it's on `koszko` branch - 05:23 PM Bug #53: Interference with existing CSP headers
- From what I tested today and yesterday[1], the experimental code in csp-PoC that's responsible for removing the CSP `...
- 05:13 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- I see you tried to remove the offending `<meta>` csp tags in the csp-PoC branch. Unfortunately, to the extent I teste...
- 12:51 PM Feature #34: improve CSP injection blocking
- Update: we might be able to just inject `<meta>` at the very beginning of the document. Browsers seem to be able to d...
08/06/2021
- 05:20 PM Feature #17: enable the extension to automatically fetch script substitutes from the repo
- I ended up doing quite a lot of changes as prerequisites of this. The seemingly working product is now on my branch.
... - 02:42 AM Feature #66: Write tests
- > Please for now only focus on things that are not going to change quickly.
I'll make sure to once it gets to tha...
08/05/2021
- 12:30 PM Feature #66: Write tests
- jahoti wrote:
> This is now off to a (very slow) start.
>
> It's currently in a separate folder to Hachette; shou... - 11:47 AM Feature #66: Write tests
- This is now off to a (very slow) start.
It's currently in a separate folder to Hachette; should that continue, or ... - 12:15 PM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
- > > Also, perhaps we'd be able to spoof a `Referer: https://example.com/` header by opening `https://example.com/` in...
- 11:32 AM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
- > Does WebRequest not allow rewriting of [the referer] header?
WebRequest probably does actually; thanks for point...
08/04/2021
- 10:19 AM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
- > > BTW, we could also facilitate spoofing of the referer header for similar purposes
>
> Are extensions allowed t...
08/03/2021
- 11:48 PM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
- > BTW, we could also facilitate spoofing of the referer header for similar purposes
Are extensions allowed to spoo... - 11:29 PM Feature #69: [Roadmap 7][Milestone] Facilitate bundling HTML/XML/JSON and other data with a fix
- We definitely need to support this; the question is, as you point out, how. Using the `script` tag is probably an abu...
08/02/2021
- 01:19 AM Feature #13: find some way not to require each chrome user to modify manifest.json
- Please note that under Manifest V3 in Chrome we'll be able to dynamically register content scripts which might solve ...
- 12:50 AM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
- BTW, we could also facilitate spoofing of the referer header for similar purposes
EDIT: GreaseMonkey actually has ...
Also available in: Atom