Activity

From 08/06/2021 to 09/04/2021

09/04/2021

09:05 PM Bug #89 (Closed): Restore, to the extent necessary, the script sanitizing functionality: Merged to `master` koszko
08:50 PM Bug #89 (Closed): Restore, to the extent necessary, the script sanitizing functionality: Sanitizing of `<script>` tags was recently dropped because it seemed sufficient to rely on CSP rules being injected. ... koszko
09:03 PM Revision 51d43685 (haketilo): fix script blocking bug under Chromium: koszko
07:36 PM Feature #88 (New): [Roadmap 6][Milestone] Allow payloads to also specify CSP rules that should be used instead of the original ones served by page: Note that this concerns CSP rules other than those for scripts. For scripts we always use a nonce
[Roadmap](/proje... koszko
07:33 PM Bug #65 (Closed): When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL: Merged to `master` koszko
06:41 PM Revision 83039701 (haketilo): update documentation link in the README: koszko
05:44 PM Revision d141aada (haketilo): show appropriate message when repository returns no custom content for given URL: koszko
12:36 PM Feature #11 (Closed): add some nice styling to settings page: Merged to `master` koszko
12:35 PM Feature #15 (Closed): make sure page's own csp in <head> doesn't block our scripts: Merged to `master` koszko
12:35 PM Feature #23 (Closed): also implement support for whitelisting of non-https urls: Merged to `master` koszko
12:34 PM Feature #31 (Closed): add an option to disable script blocking globally: Merged to `master` koszko
12:34 PM Feature #49 (Closed): add some nice styling to popup: Merged to `master` koszko
12:32 PM Revision e48e20de (haketilo): merge changes before version 0.1: koszko
02:00 AM Revision 591c48a6 (haketilo): Make test suite mildly usable: Allow test/server.py to be run as a command and add some "webpages" for it. jahoti

09/03/2021

07:49 PM Revision f0951bce (haketilo): limit width of url in popup heading: koszko
07:40 PM Revision c12b9ee3 (haketilo): disable payload injection on non-html pages: koszko
07:19 PM Support #78: Investigate into how browsers handle files that are not HTML: Modified StreamFilter code is now on `koszko-rethinked-meta-sanitizing`. The `policy` object now also contains inform... koszko
12:36 PM Support #78: Investigate into how browsers handle files that are not HTML: No, since under Chromium I've never actually seen our "document_start" content scripts start with DOM partially or fu... koszko
12:19 PM Support #78: Investigate into how browsers handle files that are not HTML: > Perhpas we could instead, in StreamFilter, just try running DOMParser over the first chunk of data and examining th... jahoti
11:17 AM Support #78: Investigate into how browsers handle files that are not HTML: Heuristics. That's bad... For us.
Even mere parsing of response headers is already risky because of some subtletie... koszko
10:21 AM Support #78: Investigate into how browsers handle files that are not HTML: According to <https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types#mime_sniffing>:
> In th... jahoti
06:46 PM Revision 03d041ce (haketilo): only apply stream filter modifications when reasonably necessary: koszko
12:52 PM Feature #85: Make Haketilo use the same format as Hydrilla for import and export of settings: jahoti wrote:
> Is the Hydrilla format stable? If not, is it worth waiting for that first or should this be easy eno... koszko
12:27 PM Feature #85: Make Haketilo use the same format as Hydrilla for import and export of settings: Is the Hydrilla format stable? If not, is it worth waiting for that first or should this be easy enough to do now? jahoti
12:50 PM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf): jahoti wrote:
> I suspect IceCat can be built on FSDG-compliant distros.
I am not so sure. Official mobile releas... koszko
12:25 PM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf): I suspect IceCat can be built on FSDG-compliant distros. Ungoogled Chromium might have that option, yet it's pointles... jahoti
12:23 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts: If any part of Hachette can be considered infrastructure trap, it's surely this CSP stuff. Having already done so muc... koszko
11:59 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts: > So we still need workarounds under Mozilla :/
How easy life would be if everything worked reasonably well!
> ... jahoti
10:32 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts: > - On Chromium, nodes injected by content scripts are CSP-exempt, meaning CSP filtering is unnecessary (albeit harml... koszko
09:51 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts: Sorry I didn't see your question! I distracted myself with researching around the topic (in the midst of general busy... jahoti
12:18 PM Feature #83: Also add ability to selectively block other types of content (e.g. fonts): > I am not entirely sure the actual fetching of resources is also prevented by CSP. What I am sure would work, though... jahoti
11:44 AM Feature #83: Also add ability to selectively block other types of content (e.g. fonts): I am not entirely sure the actual fetching of resources is also prevented by CSP. What I am sure would work, though, ... koszko
10:16 AM Feature #83: Also add ability to selectively block other types of content (e.g. fonts): To summarise from the [full list of CSP directives](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content... jahoti

09/02/2021

09:37 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts: I pushed some code for this to new `koszko-rethinked-meta-sanitizing` branch. I am not yet 100% sure this will work. ... koszko
09:33 PM Revision 44958e6a (haketilo): implement rethinked <meta> tags sanitizing approach: This has not been tested yet. Additionally, functionality for blocking of `data:' urls needs to be re-enabled. koszko
09:05 PM Feature #85 (In Progress): Make Haketilo use the same format as Hydrilla for import and export of settings: I just realized it should be possible to access entire directories:
https://developer.mozilla.org/en-US/docs/Web/API... koszko
06:39 PM Revision d1d5d4fb (haketilo): also require "unlimitedStorage" permission to avoid surprise later: koszko
06:37 PM Feature #31 (Resolved): add an option to disable script blocking globally: On `koszko-smuggle-policy` branch koszko
06:35 PM Revision 6247f163 (haketilo): enable toggling of global script blocking policy\n\nThis commit also introduces `light_storage' module which is later going to replace the storage code we use right now.\nAlso included is a hack to properly display scrollbars under Mozilla (needs testing on newer Mozilla browsers).: koszko

09/01/2021

02:18 PM Feature #11: add some nice styling to settings page: Import dialog is now also styled. All that's left is merging to `master` koszko
02:18 PM Feature #49: add some nice styling to popup: Install dialog is now also styled. All that's left is merging to `master` koszko
11:48 AM Feature #49: add some nice styling to popup: This is now also on `koszko-smuggle-policy` branch, except for the install dialog koszko
02:14 PM Revision 4b59dced (haketilo): add styling to settings install(import) dialog: koszko
01:49 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts: Did you have any success? koszko
11:55 AM Revision d85dcc1e (haketilo): change description: koszko
11:45 AM Revision 453ba039 (haketilo): add styling for popup page\n\nThis does not include styling for contents of the import dialog: koszko

08/31/2021

01:36 PM Feature #83 (New): Also add ability to selectively block other types of content (e.g. fonts): Google uses fonts sites load from its servers for snooping. Blocking them causes relatively little issues (compared t... koszko
01:32 PM Feature #11: add some nice styling to settings page: Forgot to mention: this has been ready (except for settings import window) on `koszko-smuggle-policy` branch since ye... koszko

08/30/2021

12:13 PM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf): ## Mobile version considerations
I don't have any Android device to test on, although it might be possible to use ... koszko
12:02 PM Feature #82 (New): Style extension's pages for mobile usage: koszko
12:00 PM Feature #80 (New): Make Haketilo work with mobile versions of browsers: This is mostly the matter of apropriately styling extension's pages. Unfortunately, a libre mobile browser to test on... koszko
11:54 AM Revision 544c6df3 (haketilo): add styling for options page\n\nThis does not include styling for contents of the import popup: koszko

08/28/2021

08:56 AM Support #78: Investigate into how browsers handle files that are not HTML: > As for making sure we only filter relevant data, do any browsers try to guess mime types?
By guessing you mean a... koszko
03:00 AM Support #78: Investigate into how browsers handle files that are not HTML: For the second point at least, I know NoScript operates on XML (and will check uBlock Origin for similar behavior). W... jahoti
08:48 AM Feature #13: find some way not to require each chrome user to modify manifest.json: > Wouldn't that still require each user to build the extension themselves?
It would. It would just be less hacky t... koszko
02:54 AM Feature #13: find some way not to require each chrome user to modify manifest.json: > Using a synchronous AJAX call from the content script might allow us to use a bundled file as a secret
Wouldn't ... jahoti

08/27/2021

06:45 PM Revision a43c3fe2 (haketilo): reset CSS rules: koszko
06:01 PM Revision 826b4fd8 (haketilo): start using `<template>' tag: koszko
02:54 PM Revision 53891495 (haketilo): put simplest, asynchronous local storage operations in a separate file: koszko
10:58 AM Feature #79 (Closed): Improve the build script by using awk: Since writing `build.sh` I realized some things could be done a lot easier using awk koszko
10:56 AM Feature #23 (Resolved): also implement support for whitelisting of non-https urls: koszko
10:55 AM Feature #23: also implement support for whitelisting of non-https urls: `ftp://` is now also ready and pushed to this temporary branch. Changes will be merged together with completed Featur... koszko
10:12 AM Feature #23: also implement support for whitelisting of non-https urls: Support for the `file://` protocol is now on the `koszko-smuggle-policy` branch. I re-used the temporarily-unused app... koszko
10:52 AM Revision 48f76d70 (haketilo): add support for `ftp://' protocol: koszko
10:32 AM Support #78 (Rejected): Investigate into how browsers handle files that are not HTML: Our tampering with HTML pages, including rewriting parts of them using the StreamFilter API, might cause problems whe... koszko
10:26 AM Feature #77: Check LibreJS is compatible with this extension.: # History before copying
koszko wrote:
> I assume by compatibility you mean the ability to run side-by-side with ... koszko
10:26 AM Feature #77 (Closed): Check LibreJS is compatible with this extension.: Many swfreedom supporters prefer LibreJS' blocking mechanism. As there's good reason to expect compatability, it woul... koszko
10:07 AM Feature #13: find some way not to require each chrome user to modify manifest.json: Using a synchronous AJAX call from the content script might allow us to use a bundled file as a secret koszko
10:01 AM Revision 53837634 (haketilo): enable whitelisting of `file://' protocol\n\nThis commit additionally also changes the semantics of triple asterisk wildcard in URL path.: koszko

08/26/2021

03:55 PM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL: > We could use webRequest to remove our cookies from request headers in case they happen to get there
Committed to... koszko
03:53 PM Revision 3303d7d7 (haketilo): filter HTTP request headers to remove Hachette cookies in case they slip through: koszko
11:50 AM Revision 2875397f (haketilo): improve signing\n\nSignature timestamp is now handled in a saner way. Sha256 implementation is no longer pulled in contexts that don't require it.: koszko
09:54 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts: > I'll try and do this today.
If it turns out to work, you should be able to use StreamFilter code from 6b53d6c840... koszko

08/25/2021

12:07 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts: > I instead implemented a hacky way that uses multiple invocations of DOMParser to find where page's <head> ends so t... jahoti
09:55 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts: I instead implemented a hacky way that uses multiple invocations of DOMParser to find where page's `<head>` ends so t... koszko

08/23/2021

11:56 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts: > I hate web browsers. It all grows waaaay more complex than I expected.
Which then wastes half one's energy remem... jahoti
06:18 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts: > I'll investigate possible workarounds for Mozilla.
I did.
* We can make a HTML on-the-fly "parser" by creating ... koszko
11:14 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts: The code that uses StreamFilter is now on my branch. The remaining issues are worth mentioning:
1. Under Chromium ... koszko
11:17 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL: > > Now there is real danger cookie will not get deleted for some reason and will get sent to server. Anyway, I think... koszko
11:05 AM Revision 6b53d6c8 (haketilo): use StreamFilter under Mozilla to prevent csp <meta> tags from blocking our injected scripts: koszko

08/22/2021

02:00 AM Revision 6c69435c (haketilo): Support a custom certificates directory in test/server.py: jahoti
02:00 AM Revision bb550c36 (haketilo): Incorporate patch for test/gorilla.py: Patch by Wojtek provides a bundle-all option and only reads Hydrilla files. jahoti

08/21/2021

08:55 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts: Had some issues again (document created with `DOMParser` can be written to under Chromium but not under IceCat 60). A... koszko

08/20/2021

01:04 PM Feature #15 (In Progress): make sure page's own csp in <head> doesn't block our scripts: > Maybe the *extension* should have been named Hydrilla- whenever one path gets cut off, two more grow in its place :... koszko
12:57 PM Revision d09b7ee1 (haketilo): sanitize `<meta>' tags containing CSP rules under Chromium: This commit adds a mechanism of hijacking document when it loads and injecting sanitized nodes to the DOM from the le... koszko
11:06 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL: Thanks for pointing out. I'll fix it together with some bigger changes for issue 15 https://hachettebugs.koszko.org/i... koszko
07:20 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL: > EDIT: Newest commit on my branch restores compatibility with IceCat 60. Testing on other browsers still welcome :)
... jahoti

08/16/2021

11:24 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts: > I think it will take me a little while to understand exactly what magic you've pulled :).
All that's needed is t... koszko

08/15/2021

12:47 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts: That is genuine genius- I think it will take me a little while to understand exactly what magic you've pulled :). jahoti
09:08 AM Bug #53: Interference with existing CSP headers: No- feel free to delete the csp-PoC branch. jahoti

08/14/2021

01:03 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts: > A spurious `</script>` at the beginning of the document could cause serious issues with my method. There are, howev... koszko
09:42 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts: > > So, in the end, this will not only allow us to modify the offending csp rules but also impose script-blocking and... koszko
03:10 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts: > I started looking for a solution and found out a very good thing. In Chromium at `document_start` we could stop unw... jahoti
10:21 AM Feature #17 (Closed): enable the extension to automatically fetch script substitutes from the repo: Tested with Google Drive fixes. Closing. Documentation will be added at some point. koszko
10:10 AM Bug #53 (Closed): Interference with existing CSP headers: Merged to master. You no longer need the `csp-PoC` branch, do you? koszko
02:25 AM Bug #53: Interference with existing CSP headers: > From what I tested today and yesterday[1], the experimental code in csp-PoC that's responsible for removing the CSP... jahoti
10:07 AM Revision 443bc095 (haketilo): merge facility to install from Hydrilla: koszko
09:54 AM Revision ae1844f9 (haketilo): merge csp-PoC: koszko
02:00 AM Revision 6fda8ea5 (haketilo): Revert changes to content/main.js to commit 25817b68c*: It turns out modifying the CSP headers in meta tags has no effect. jahoti

08/13/2021

06:03 PM Feature #29 (Closed): validate settings data on import: I did it as part of https://hachettebugs.koszko.org/issues/17
For now, it's on `koszko` branch koszko
05:23 PM Bug #53: Interference with existing CSP headers: From what I tested today and yesterday[1], the experimental code in csp-PoC that's responsible for removing the CSP `... koszko
05:13 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts: I see you tried to remove the offending `<meta>` csp tags in the csp-PoC branch. Unfortunately, to the extent I teste... koszko
12:51 PM Feature #34: improve CSP injection blocking: Update: we might be able to just inject `<meta>` at the very beginning of the document. Browsers seem to be able to d... koszko

08/10/2021

08:18 PM Revision 2fbab2f0 (haketilo): change default repository URL: koszko

08/06/2021

05:20 PM Feature #17: enable the extension to automatically fetch script substitutes from the repo: I ended up doing quite a lot of changes as prerequisites of this. The seemingly working product is now on my branch.
... koszko
05:17 PM Revision 792fbe18 (haketilo): Facilitate installation of scripts from the repository: This commit includes:
* removal of page_info_server
* running of storage client in popup context
* extraction of some... koszko
02:42 AM Feature #66: Write tests: > Please for now only focus on things that are not going to change quickly.
I'll make sure to once it gets to tha... jahoti
02:00 AM Revision 7796e554 (haketilo): Add the beginnings of a test suite: jahoti

Also available in: Atom

Project

General

Profile

Haketilo

Activity

Activity

09/04/2021

09/03/2021

09/02/2021

09/01/2021

08/31/2021

08/30/2021

08/28/2021

08/27/2021

08/26/2021

08/25/2021

08/23/2021

08/22/2021

08/21/2021

08/20/2021

08/19/2021

08/18/2021

08/17/2021

08/16/2021

08/15/2021

08/14/2021

08/13/2021

08/10/2021

08/06/2021