Activity
From 08/16/2021 to 09/14/2021
09/14/2021
- 11:48 PM Support #78: Investigate into how browsers handle files that are not HTML
- Rough estimate of progress (it's hard to tell without knowing in advance what the solution will involve)
- 11:09 PM Feature #90: Make the 0.1 release
- > > As a rather unimportant aside, however, we have yet to establish a clear difference between "Haketilo" and "Haket...
- 08:22 PM Feature #90: Make the 0.1 release
- OK, it seems all that's important is ready. Documentation will never be perfect but it's already sufficiently good. I...
- 07:20 PM Feature #90: Make the 0.1 release
- In case anyone's wondering how I automatized the generation of Chromium builds with different secres, it's this scrip...
- 04:24 PM Feature #90: Make the 0.1 release
- > As a rather unimportant aside, however, we have yet to establish a clear difference between "Haketilo" and "Haketil...
- 03:25 AM Feature #90: Make the 0.1 release
- > Right, in the documentation (at the end of Mozilla installation instructions, perhaps also in some other place(s)) ...
- 07:29 PM Revision e9b6187e (haketilo): bump version to 0.1
- 07:28 PM Revision 212b5c8e (haketilo): use default settings that only contain a demo script (the rest is available through Hydrilla)
- 03:59 AM Feature #92: Replace cookie smuggling with some safer approach
- > Actually, I thought about simply redirecting to an extension-packaged file. For basic functionality we only need 3 ...
09/13/2021
- 04:56 PM Revision 2bd35bc4 (haketilo): rename the extension to "Haketilo"
- 09:46 AM Feature #90: Make the 0.1 release
- jahoti wrote:
> OK, the Firefox account generation/management script is attached.
Thanks a lot!
> (except on s... - 09:12 AM Feature #90: Make the 0.1 release
- OK, the Firefox account generation/management script is attached. Some notes:
* It depends on `librecaptcha`, `reque... - 09:01 AM Feature #90: Make the 0.1 release
- > > (it's also possible they just distribute the signed extensions and package the signatures when building from sour...
- 08:02 AM Feature #90: Make the 0.1 release
- > > Also, disrtos like Debian actually have extensions in their repositories, so there is surely some way to install ...
- 08:25 AM Feature #92: Replace cookie smuggling with some safer approach
- > That said, there are several options. Apart from the obvious approach of `data:` URLs for Chromium and `contentScri...
09/12/2021
- 11:20 AM Feature #93 (Rejected): Elaborate on ethics in the documentation
- The user manual currently contains several references to what we recommend or what the reader should be doing without...
- 11:13 AM Feature #90: Make the 0.1 release
- I'm working through testing the Mozilla account-generation script now. I've removed the signing functionality rather ...
- 03:00 AM Feature #92: Replace cookie smuggling with some safer approach
- It turns out Firefox did once support redirection to `data:` URLs (prior to v60, it seems), before it was accidentall...
09/11/2021
- 12:53 AM Feature #92: Replace cookie smuggling with some safer approach
- > Jahoti, please, remind me. Why aren't we just making a synchronous AJAX call in the content script and redirecting ...
- 09:58 PM Feature #92: Replace cookie smuggling with some safer approach
- Jahoti, please, remind me. Why aren't we just making a synchronous AJAX call in the content script and redirecting it...
- 09:55 PM Feature #92 (Closed): Replace cookie smuggling with some safer approach
- Yep, we need to find something that works. `registerContentScript()` might do the job on newer browsers (and under Ma...
- 12:41 AM Feature #90: Make the 0.1 release
- > Interesting. The flag that enables unverified installs is supposedly still supported in developer edition of Firefo...
- 12:51 PM Feature #90: Make the 0.1 release
- Interesting. The flag that enables unverified installs is supposedly still supported in developer edition of Firefox:...
- 12:35 PM Feature #90: Make the 0.1 release
- >> Wait- is it possible to sign XPIs with our own key? If so that would be much better than relying on Mozilla.
>
>... - 12:22 PM Feature #90: Make the 0.1 release
- jahoti wrote:
> Wait- is it possible to sign XPIs with our own key? If so that would be much better than relying on ... - 11:54 AM Feature #90: Make the 0.1 release
- Wait- is it possible to sign XPIs with our own key? If so that would be much better than relying on Mozilla.
In an... - 11:38 AM Feature #90: Make the 0.1 release
- jahoti wrote:
> On that note (and your breakthrough with CRX on #13), do we want to sign releases?
Yes. And I'd l... - 05:03 AM Feature #90: Make the 0.1 release
- > Also, at some point we'll upload prebuilt versions of Hachette here.
On that note (and your breakthrough with CR... - 01:56 PM Revision 947fbdef (haketilo): added missing line break in options page
- 12:22 PM Support #75: ServiceWorkers
- I unfortunately couldn't test this, as I couldn't find any test cases or understand how to set one up.
- 11:44 AM Support #75: ServiceWorkers
- jahoti wrote:
> Somehow, it seems the biggest technical challenge for this project has become *blocking (unwanted) s... - 05:15 AM Support #75: ServiceWorkers
- > Ultimately, we should stop using cookies for policy smuggling, even though they initially seemed like a super good ...
- 12:17 PM Support #78: Investigate into how browsers handle files that are not HTML
- Your most recent push seems to be working well!
- 05:08 AM Support #78: Investigate into how browsers handle files that are not HTML
- Good point!
- 04:52 AM Support #78: Investigate into how browsers handle files that are not HTML
- > didn't the CSP-filtering part of StreamFilter get removed anyway?
It did, although the part that remains is stil... - 04:38 AM Support #78: Investigate into how browsers handle files that are not HTML
- > I pushed something to koszko branch.
Rather than reply to all the commits you've made independently, I'll just n... - 12:14 PM Feature #88: [Roadmap 6][Milestone] Allow payloads to also specify CSP rules that should be used instead of the original ones served by page
- I read this thread earlier today and had been meaning to reply, yet couldn't find it again- sorry!
> In the end, I... - 12:02 PM Feature #32: Process HTML files in data: URLs instead of just blocking them
- > Btw, I've been unaware of that manifest key. It would be cool to utilize it for something else at some point :) Alt...
- 11:40 AM Feature #32: Process HTML files in data: URLs instead of just blocking them
- :/
Btw, I've been unaware of that manifest key. It would be cool to utilize it for something else at some point :) A... - 04:56 AM Feature #32: Process HTML files in data: URLs instead of just blocking them
- > It might be possible to utilize this API:
>
> <https://developer.mozilla.org/en-US/docs/Web/API/Navigator/registe... - 11:48 AM Feature #91 (Rejected): Add an option to block HTTP "refresh"
- This concerns both the HTTP header and its respective `<meta>` tag.
https://en.wikipedia.org/wiki/Meta_refresh - 11:03 AM Feature #77 (Closed): Check LibreJS is compatible with this extension.
- Compatibility is confirmed for IceCat 60, which is sufficient assuming there are no functional differences that would...
- 05:05 AM Feature #77: Check LibreJS is compatible with this extension.
- Results will be added to the user documentation once obtained.
- 05:13 AM Feature #13: find some way not to require each chrome user to modify manifest.json
- > Unfortunately, the "Google BSD license" link is dead and I cannot check which of the BSD licenses applied to that s...
- 04:44 AM Feature #66: Write tests
- > Have you considered using UML (no, not that diagraming language, I mean User Mode Linux) to run tests inside? I'm s...
09/10/2021
- 10:07 PM Feature #90: Make the 0.1 release
- I started documenting Hachette usage. I uploaded the screenshots I made, so if you happen to come there while I sleep...
- 05:15 PM Feature #90: Make the 0.1 release
- "allow" option, CSP behavior and URL length limits are now on `koszko` branch
- 08:49 PM Feature #13: find some way not to require each chrome user to modify manifest.json
- I found details regarding the CRX file format:
http://www.dre.vanderbilt.edu/~schmidt/android/android-4.0/external/c... - 05:47 PM Support #75: ServiceWorkers
- I added unregistering code on `koszko` branch. It needs testing
- 05:46 PM Revision d658cadf (haketilo): disable service workers when scripts are blocked
- 05:34 PM Feature #32: Process HTML files in data: URLs instead of just blocking them
- It might be possible to utilize this API:
https://developer.mozilla.org/en-US/docs/Web/API/Navigator/registerProto... - 05:07 PM Feature #88: [Roadmap 6][Milestone] Allow payloads to also specify CSP rules that should be used instead of the original ones served by page
- As this is somehow related, I'll write an update regarding our recent CSP change (where we are no longer modifying ex...
- 04:50 PM Revision 5c75d744 (haketilo): Make it impossible to check "Allow native scripts" for pages with payload.
- 04:18 PM Revision 72cbfa74 (haketilo): limit allowed pattern lengths
09/09/2021
- 06:51 PM Revision ed9cc030 (haketilo): restore compatibility with IceCat 60
- 06:50 PM Revision 44e89d8e (haketilo): simplify CSP handling
- All page's CSP rules are now removed when a payload is to be injected. When there is no payload, CSP rules are not mo...
- 05:35 PM Support #75: ServiceWorkers
- jahoti wrote:
> perhaps we could present some version of [this information](https://www.ghacks.net/2016/03/02/manage... - 01:52 PM Feature #66: Write tests
- Have you considered using UML (no, not that diagraming language, I mean User Mode Linux) to run tests inside? I'm sug...
- 12:51 PM Feature #34 (Closed): improve CSP injection blocking
- Can be considered done as part of #78
- 12:15 PM Support #78: Investigate into how browsers handle files that are not HTML
- > I am going to continue with this tomorrow. Btw, I realized some mistakes (including being unaware of what I just de...
09/08/2021
09/07/2021
- 10:31 PM Support #78: Investigate into how browsers handle files that are not HTML
- I now realize what is the problem with all XMLs, including SVGs. Any XML can include elements from other XML namespac...
- 10:52 AM Support #78: Investigate into how browsers handle files that are not HTML
- I suppose it's the same as with SVG, although I need to make sure it's really the case
09/06/2021
- 12:05 AM Feature #90: Make the 0.1 release
- That leaves me with 4, I suppose, which is probably just as well; the current (limited) state of the testing suite is...
- 08:51 PM Feature #90: Make the 0.1 release
- `3`. is now ready, as noted in #78
- 04:54 PM Feature #90: Make the 0.1 release
- Instead of implementing 2. as specified in the description, I did something else. Effect is as wanted - build.sh gene...
- 02:39 PM Feature #90 (Closed): Make the 0.1 release
- Right now what we have left to do is:
1. ~~Make it impossible to check "allow" option for page with payload, as sugg... - 12:02 AM Support #78: Investigate into how browsers handle files that are not HTML
- > I came up with code that should do with blocking for now. On koszko branch. Could do with more testing
Doing thi... - 08:49 PM Support #78: Investigate into how browsers handle files that are not HTML
- I came up with code that should do with blocking for now. On `koszko` branch. Could do with more testing
- 06:55 PM Support #78: Investigate into how browsers handle files that are not HTML
- Now we know why NoScript included special code for SVGs and XMLs:
https://developer.mozilla.org/en-US/docs/Web/SVG/E... - 02:57 PM Support #78: Investigate into how browsers handle files that are not HTML
- > > While server might not be able to make user's browser execute scripts in a non-HTML page, we are. Should we restr...
- 11:48 AM Support #78: Investigate into how browsers handle files that are not HTML
- > While server might not be able to make user's browser execute scripts in a non-HTML page, we are. Should we restrai...
- 09:56 AM Support #78: Investigate into how browsers handle files that are not HTML
- > > Now it would make sense to make content script not try to inject payload if document.contentType is not of proper...
- 12:00 AM Feature #13: find some way not to require each chrome user to modify manifest.json
- > The "key" manifest property was required by Chromium to be an actual key in PEM format
Thank you for explaining!... - 04:53 PM Feature #13: find some way not to require each chrome user to modify manifest.json
- > > Wouldn't that still require each user to build the extension themselves?
>
> It would. It would just be less h... - 11:45 PM Feature #28: split options_main.js into several smaller files
- > Right now I can quickly make this little change you suggested since I already know that code. And you could instead...
- 02:20 PM Feature #28: split options_main.js into several smaller files
- Discussion moved from #15
>>>>Since long-term we're not really planning to allow our scripts to run together with ... - 08:45 PM Revision 704f2da0 (haketilo): re-enable sanitizing of data: URLs and also sanitize intrinsics on non-HTML pages where CSP doesn't work
- 04:45 PM Revision ed08ef1a (haketilo): generate Chromium unique key automatically in `build.sh'
- 11:41 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > Keep in mind, however, options_main.js is currntly the most tangled script file in Hachette
Perhaps I'll start ... - 10:24 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > > Since long-term we're not really planning to allow our scripts to run together with page's ones (i.e. "allow site...
- 11:41 AM Feature #7: [Roadmap 34][Milestone] find some convenient way to automatically re-add intrinsic javascript
- > You mean re-allowing the actual intrinsics as they appear on the page they came with?
I did, having not really t... - 10:37 AM Feature #7: [Roadmap 34][Milestone] find some convenient way to automatically re-add intrinsic javascript
- > A hacky and flawed solution to this might be to simply scan the nodes and rever event-handler attribute blocking.
... - 11:29 AM Support #75: ServiceWorkers
- > Unfortunately, it seems a page reload is required for this to take effect.
>
> Additionally, is there a way servi... - 10:50 AM Support #75: ServiceWorkers
- Unfortunately, it seems a page reload is required for this to take effect.
Additionally, is there a way service w... - 09:51 AM Feature #70: [Roadmap 7][Milestone] Add facility to replace sites' original HTML with custom one
- Together with this, we could allow scripts to access the original, raw HTML code of the page in question. I am mentio...
- 02:00 AM Revision b1444d9c (haketilo): Incorporate test suite from jahoti branch
- 02:00 AM Revision 5dab077b (haketilo): Replace CSP filtering with blocking
- CSP headers are now blocked completely rather than modified.
Also, filtering is applied whenever a payload is injected.
09/05/2021
- 10:50 AM Feature #26 (Closed): besides blocking scripts through csp, also block connections that needlessly fetch those scripts
- Tentatively closed; the bug is no longer reproduceable on IceCat, LibreWolf, or Ungoogled Chromium (version to be not...
- 04:38 AM Feature #26: besides blocking scripts through csp, also block connections that needlessly fetch those scripts
- I'll check if this is even an issue either today or in the next few days (if live scripts are never added to the acti...
- 05:12 AM Support #75: ServiceWorkers
- The following script will deregister all service workers in a page (courtesy of <https://love2dev.com/blog/how-to-uni...
- 04:52 AM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
- > I am not so sure. Official mobile releases stopped at 38.6.0.
That complicates things. I'll see if I can find w... - 04:50 AM Feature #7: [Roadmap 34][Milestone] find some convenient way to automatically re-add intrinsic javascript
- A hacky and flawed solution to this might be to simply scan the nodes and rever event-handler attribute blocking.
- 04:44 AM Feature #16 (Closed): create a repository to host scripts
- See project:Hydrilla and the instance at [[https://api-demo.hachette-hydrilla.org]].
- 04:29 AM Feature #66: Write tests
- The basic infrastructure to support creating a "virtual network" in now in the `jahoti` branch, and can be used on it...
- 02:20 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > If any part of Hachette can be considered infrastructure trap, it's surely this CSP stuff. Having already done so m...
09/04/2021
- 01:40 AM Support #78: Investigate into how browsers handle files that are not HTML
- > Btw, I noticed cookies don't work on non-HTML pages. This doesn't seem to be an issue as long as we assume the conc...
- 09:05 PM Bug #89 (Closed): Restore, to the extent necessary, the script sanitizing functionality
- Merged to `master`
- 08:50 PM Bug #89 (Closed): Restore, to the extent necessary, the script sanitizing functionality
- Sanitizing of `<script>` tags was recently dropped because it seemed sufficient to rely on CSP rules being injected. ...
- 09:03 PM Revision 51d43685 (haketilo): fix script blocking bug under Chromium
- 07:36 PM Feature #88 (New): [Roadmap 6][Milestone] Allow payloads to also specify CSP rules that should be used instead of the original ones served by page
- Note that this concerns CSP rules other than those for scripts. For scripts we always use a nonce
[Roadmap](/proje... - 07:33 PM Bug #65 (Closed): When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
- Merged to `master`
- 06:41 PM Revision 83039701 (haketilo): update documentation link in the README
- 05:44 PM Revision d141aada (haketilo): show appropriate message when repository returns no custom content for given URL
- 12:36 PM Feature #11 (Closed): add some nice styling to settings page
- Merged to `master`
- 12:35 PM Feature #15 (Closed): make sure page's own csp in <head> doesn't block our scripts
- Merged to `master`
- 12:35 PM Feature #23 (Closed): also implement support for whitelisting of non-https urls
- Merged to `master`
- 12:34 PM Feature #31 (Closed): add an option to disable script blocking globally
- Merged to `master`
- 12:34 PM Feature #49 (Closed): add some nice styling to popup
- Merged to `master`
- 12:32 PM Revision e48e20de (haketilo): merge changes before version 0.1
- 02:00 AM Revision 591c48a6 (haketilo): Make test suite mildly usable
- Allow test/server.py to be run as a command and add some "webpages" for it.
09/03/2021
- 07:49 PM Revision f0951bce (haketilo): limit width of url in popup heading
- 07:40 PM Revision c12b9ee3 (haketilo): disable payload injection on non-html pages
- 07:19 PM Support #78: Investigate into how browsers handle files that are not HTML
- Modified StreamFilter code is now on `koszko-rethinked-meta-sanitizing`. The `policy` object now also contains inform...
- 12:36 PM Support #78: Investigate into how browsers handle files that are not HTML
- No, since under Chromium I've never actually seen our "document_start" content scripts start with DOM partially or fu...
- 12:19 PM Support #78: Investigate into how browsers handle files that are not HTML
- > Perhpas we could instead, in StreamFilter, just try running DOMParser over the first chunk of data and examining th...
- 11:17 AM Support #78: Investigate into how browsers handle files that are not HTML
- Heuristics. That's bad... For us.
Even mere parsing of response headers is already risky because of some subtletie... - 10:21 AM Support #78: Investigate into how browsers handle files that are not HTML
- According to <https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types#mime_sniffing>:
> In th... - 06:46 PM Revision 03d041ce (haketilo): only apply stream filter modifications when reasonably necessary
- 12:52 PM Feature #85: Make Haketilo use the same format as Hydrilla for import and export of settings
- jahoti wrote:
> Is the Hydrilla format stable? If not, is it worth waiting for that first or should this be easy eno... - 12:27 PM Feature #85: Make Haketilo use the same format as Hydrilla for import and export of settings
- Is the Hydrilla format stable? If not, is it worth waiting for that first or should this be easy enough to do now?
- 12:50 PM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
- jahoti wrote:
> I suspect IceCat can be built on FSDG-compliant distros.
I am not so sure. Official mobile releas... - 12:25 PM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
- I suspect IceCat can be built on FSDG-compliant distros. Ungoogled Chromium might have that option, yet it's pointles...
- 12:23 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- If any part of Hachette can be considered infrastructure trap, it's surely this CSP stuff. Having already done so muc...
- 11:59 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > So we still need workarounds under Mozilla :/
How easy life would be if everything worked reasonably well!
> ... - 10:32 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > - On Chromium, nodes injected by content scripts are CSP-exempt, meaning CSP filtering is unnecessary (albeit harml...
- 09:51 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- Sorry I didn't see your question! I distracted myself with researching around the topic (in the midst of general busy...
- 12:18 PM Feature #83: Also add ability to selectively block other types of content (e.g. fonts)
- > I am not entirely sure the actual fetching of resources is also prevented by CSP. What I am sure would work, though...
- 11:44 AM Feature #83: Also add ability to selectively block other types of content (e.g. fonts)
- I am not entirely sure the actual fetching of resources is also prevented by CSP. What I am sure would work, though, ...
- 10:16 AM Feature #83: Also add ability to selectively block other types of content (e.g. fonts)
- To summarise from the [full list of CSP directives](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content...
09/02/2021
- 09:37 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- I pushed some code for this to new `koszko-rethinked-meta-sanitizing` branch. I am not yet 100% sure this will work. ...
- 09:33 PM Revision 44958e6a (haketilo): implement rethinked <meta> tags sanitizing approach
- This has not been tested yet. Additionally, functionality for blocking of `data:' urls needs to be re-enabled.
- 09:05 PM Feature #85 (In Progress): Make Haketilo use the same format as Hydrilla for import and export of settings
- I just realized it should be possible to access entire directories:
https://developer.mozilla.org/en-US/docs/Web/API... - 06:39 PM Revision d1d5d4fb (haketilo): also require "unlimitedStorage" permission to avoid surprise later
- 06:37 PM Feature #31 (Resolved): add an option to disable script blocking globally
- On `koszko-smuggle-policy` branch
- 06:35 PM Revision 6247f163 (haketilo): enable toggling of global script blocking policy\n\nThis commit also introduces `light_storage' module which is later going to replace the storage code we use right now.\nAlso included is a hack to properly display scrollbars under Mozilla (needs testing on newer Mozilla browsers).
09/01/2021
- 02:18 PM Feature #11: add some nice styling to settings page
- Import dialog is now also styled. All that's left is merging to `master`
- 02:18 PM Feature #49: add some nice styling to popup
- Install dialog is now also styled. All that's left is merging to `master`
- 11:48 AM Feature #49: add some nice styling to popup
- This is now also on `koszko-smuggle-policy` branch, except for the install dialog
- 02:14 PM Revision 4b59dced (haketilo): add styling to settings install(import) dialog
- 01:49 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- Did you have any success?
- 11:55 AM Revision d85dcc1e (haketilo): change description
- 11:45 AM Revision 453ba039 (haketilo): add styling for popup page\n\nThis does not include styling for contents of the import dialog
08/31/2021
- 01:36 PM Feature #83 (New): Also add ability to selectively block other types of content (e.g. fonts)
- Google uses fonts sites load from its servers for snooping. Blocking them causes relatively little issues (compared t...
- 01:32 PM Feature #11: add some nice styling to settings page
- Forgot to mention: this has been ready (except for settings import window) on `koszko-smuggle-policy` branch since ye...
08/30/2021
- 12:13 PM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
- ## Mobile version considerations
I don't have any Android device to test on, although it might be possible to use ... - 12:02 PM Feature #82 (New): Style extension's pages for mobile usage
- 12:00 PM Feature #80 (New): Make Haketilo work with mobile versions of browsers
- This is mostly the matter of apropriately styling extension's pages. Unfortunately, a libre mobile browser to test on...
- 11:54 AM Revision 544c6df3 (haketilo): add styling for options page\n\nThis does not include styling for contents of the import popup
08/28/2021
- 08:56 AM Support #78: Investigate into how browsers handle files that are not HTML
- > As for making sure we only filter relevant data, do any browsers try to guess mime types?
By guessing you mean a... - 03:00 AM Support #78: Investigate into how browsers handle files that are not HTML
- For the second point at least, I know NoScript operates on XML (and will check uBlock Origin for similar behavior). W...
- 08:48 AM Feature #13: find some way not to require each chrome user to modify manifest.json
- > Wouldn't that still require each user to build the extension themselves?
It would. It would just be less hacky t... - 02:54 AM Feature #13: find some way not to require each chrome user to modify manifest.json
- > Using a synchronous AJAX call from the content script might allow us to use a bundled file as a secret
Wouldn't ...
08/27/2021
- 06:45 PM Revision a43c3fe2 (haketilo): reset CSS rules
- 06:01 PM Revision 826b4fd8 (haketilo): start using `<template>' tag
- 02:54 PM Revision 53891495 (haketilo): put simplest, asynchronous local storage operations in a separate file
- 10:58 AM Feature #79 (Closed): Improve the build script by using awk
- Since writing `build.sh` I realized some things could be done a lot easier using awk
- 10:56 AM Feature #23 (Resolved): also implement support for whitelisting of non-https urls
- 10:55 AM Feature #23: also implement support for whitelisting of non-https urls
- `ftp://` is now also ready and pushed to this temporary branch. Changes will be merged together with completed Featur...
- 10:12 AM Feature #23: also implement support for whitelisting of non-https urls
- Support for the `file://` protocol is now on the `koszko-smuggle-policy` branch. I re-used the temporarily-unused app...
- 10:52 AM Revision 48f76d70 (haketilo): add support for `ftp://' protocol
- 10:32 AM Support #78 (Rejected): Investigate into how browsers handle files that are not HTML
- Our tampering with HTML pages, including rewriting parts of them using the StreamFilter API, might cause problems whe...
- 10:26 AM Feature #77: Check LibreJS is compatible with this extension.
- # History before copying
koszko wrote:
> I assume by compatibility you mean the ability to run side-by-side with ... - 10:26 AM Feature #77 (Closed): Check LibreJS is compatible with this extension.
- Many swfreedom supporters prefer LibreJS' blocking mechanism. As there's good reason to expect compatability, it woul...
- 10:07 AM Feature #13: find some way not to require each chrome user to modify manifest.json
- Using a synchronous AJAX call from the content script might allow us to use a bundled file as a secret
- 10:01 AM Revision 53837634 (haketilo): enable whitelisting of `file://' protocol\n\nThis commit additionally also changes the semantics of triple asterisk wildcard in URL path.
08/26/2021
- 03:55 PM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
- > We could use webRequest to remove our cookies from request headers in case they happen to get there
Committed to... - 03:53 PM Revision 3303d7d7 (haketilo): filter HTTP request headers to remove Hachette cookies in case they slip through
- 11:50 AM Revision 2875397f (haketilo): improve signing\n\nSignature timestamp is now handled in a saner way. Sha256 implementation is no longer pulled in contexts that don't require it.
- 09:54 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > I'll try and do this today.
If it turns out to work, you should be able to use StreamFilter code from 6b53d6c840...
08/25/2021
- 12:07 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > I instead implemented a hacky way that uses multiple invocations of DOMParser to find where page's <head> ends so t...
- 09:55 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- I instead implemented a hacky way that uses multiple invocations of DOMParser to find where page's `<head>` ends so t...
08/23/2021
- 11:56 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > I hate web browsers. It all grows waaaay more complex than I expected.
Which then wastes half one's energy remem... - 06:18 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > I'll investigate possible workarounds for Mozilla.
I did.
* We can make a HTML on-the-fly "parser" by creating ... - 11:14 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- The code that uses StreamFilter is now on my branch. The remaining issues are worth mentioning:
1. Under Chromium ... - 11:17 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
- > > Now there is real danger cookie will not get deleted for some reason and will get sent to server. Anyway, I think...
- 11:05 AM Revision 6b53d6c8 (haketilo): use StreamFilter under Mozilla to prevent csp <meta> tags from blocking our injected scripts
08/22/2021
- 02:00 AM Revision 6c69435c (haketilo): Support a custom certificates directory in test/server.py
- 02:00 AM Revision bb550c36 (haketilo): Incorporate patch for test/gorilla.py
- Patch by Wojtek provides a bundle-all option and only reads Hydrilla files.
08/21/2021
- 08:55 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- Had some issues again (document created with `DOMParser` can be written to under Chromium but not under IceCat 60). A...
08/20/2021
- 01:04 PM Feature #15 (In Progress): make sure page's own csp in <head> doesn't block our scripts
- > Maybe the *extension* should have been named Hydrilla- whenever one path gets cut off, two more grow in its place :...
- 12:57 PM Revision d09b7ee1 (haketilo): sanitize `<meta>' tags containing CSP rules under Chromium
- This commit adds a mechanism of hijacking document when it loads and injecting sanitized nodes to the DOM from the le...
- 11:06 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
- Thanks for pointing out. I'll fix it together with some bigger changes for issue 15 https://hachettebugs.koszko.org/i...
- 07:20 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
- > EDIT: Newest commit on my branch restores compatibility with IceCat 60. Testing on other browsers still welcome :)
...
08/19/2021
- 01:49 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
- > Now there is real danger cookie will not get deleted for some reason and will get sent to server. Anyway, I think t...
08/18/2021
- 08:57 PM Support #75 (Rejected): ServiceWorkers
- Investigate into Service Workers. Find out if some additional measures need to be taken against them
- 08:54 PM Revision 3d0efa15 (haketilo): remove unneeded policy-related cosole messages; restore IceCat 60 compatibility
- 06:10 PM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
- > Sounds like a winner (and much safer than dealing with the URL fragment)!
It is indeed way more convenient. Safe... - 05:53 PM Revision 014f2a2f (haketilo): implement smuggling via cookies instead of URL
- 05:51 PM Revision 0bbda8fc (haketilo): enhance our bundler to protect top-level `this' from accidental clobbering
08/17/2021
- 01:19 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > Sad that I already wrote the toughest parts of that one :/
*Sigh* :/
At least you've got something to start w... - 07:50 PM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- UPDATE
Bad news (but read on!) - we cannot use `document.write()` this way from content script nor from any `<script... - 01:13 AM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
- Sounds like a winner (and much safer than dealing with the URL fragment)! That said, is there any way to deal with a ...
- 07:41 PM Bug #65: When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
- We should investigate if we can use `Set-Cookie` header instead of URL for policy smuggling
EDIT: Looks very promi... - 02:00 AM Revision 9e280d45 (haketilo): Begin work on a Hydrilla-compatible virtual website for testing
- The file test/gorilla.py will help with testing respositories.
It also provides a CLI Hydrilla > Hachette fix converter. - 02:00 AM Revision e9b7f4d7 (haketilo): Enable the hijacking proxy in the test suite to serve responses
- 02:00 AM Revision 5b7c9edb (haketilo): Merge remote-tracking branch 'origin/master' into jahoti
08/16/2021
- 11:24 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
- > I think it will take me a little while to understand exactly what magic you've pulled :).
All that's needed is t...
Also available in: Atom