Project

General

Profile

Activity

From 09/04/2021 to 10/03/2021

10/03/2021

07:40 AM Support #95 (In Progress): Add JShelter in wiki: comparison with other extensions
Thoughts/comments/critiques on the attached chart?
koszko wrote:
> We could even have separate rows for "Haketilo...
0gitnick

10/02/2021

11:59 AM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
> For reCAPTCHA I think the data that get extracted (maps from challenge code to displayed text) is constant at least... koszko
04:05 AM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
> In case of important data only being available in external scripts (btw, I think this is the case with reCAPTCHA wh... jahoti
11:56 AM Feature #96: Facilitate checking that extension contents haven't been replaced by Mozilla during signing
jahoti wrote:
> The attached script should be able to confirm whether the workings of the extension have been modifi...
koszko
03:52 AM Feature #96: Facilitate checking that extension contents haven't been replaced by Mozilla during signing
Definitely not!
The attached script should be able to confirm whether the workings of the extension have been modi...
jahoti
04:12 AM Feature #73: [Roadmap 6] Implement a permissions system
> As to otherwise drawing from it... It might be an option, although it'll still require a serious bit of work. I per... jahoti

10/01/2021

10:29 PM Feature #96 (Rejected): Facilitate checking that extension contents haven't been replaced by Mozilla during signing
I see no reason we should blindly trust another party here, be it Mozilla or someone else. Right now it seems Mozilla... koszko
10:06 PM haketilo-0.1.mozilla-signed.xpi
koszko
10:06 PM haketilo-0.1.mozilla-signed.xpi.sig
koszko
10:05 PM Revision d7e48c58 (haketilo): Add complete firefox extension upload and download functionality
koszko
04:28 PM Feature #71: [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
In case of important data only being available in external scripts (btw, I think this is the case with reCAPTCHA whic... koszko
01:13 PM Revision ea30326e (haketilo): add shell script facilitating generation of JWT
koszko
12:12 PM Support #95: Add JShelter in wiki: comparison with other extensions
> The table is a great idea!
Indeed, a brilliant one :D
We could even have separate rows for "Haketilo (with sc...
koszko
04:14 AM Support #95: Add JShelter in wiki: comparison with other extensions
The table is a great idea! Just to make sure you're aware, however, it will need to be an image or at least use image... jahoti
03:28 AM Support #95 (Rejected): Add JShelter in wiki: comparison with other extensions
The FSF just announced JShelter to combat nonfree JS:
https://www.fsf.org/news/fsf-announces-jshelter-browser-add-on...
0gitnick
12:05 PM Feature #73: [Roadmap 6] Implement a permissions system
If JSHelter turns out to be able to also work properly on sites modified by Hachette, running it in parallel would be... koszko
05:21 AM Feature #73: [Roadmap 6] Implement a permissions system
Could potentially draw from or just use <https://jshelter.org/> alongside Haketilo (still experimental). jahoti

09/29/2021

03:03 AM Feature #13 (Closed): find some way not to require each chrome user to modify manifest.json
This is now in master. jahoti

09/28/2021

06:48 AM Feature #94 (In Progress): Add support for extension auto-updating
Support for setting an update URL in the extension is now included in the jahoti-update branch. jahoti
06:41 AM Feature #22: supplement the build script with a makefile, also produce zipped artifacts
The modified build system on the jahoti-update branch now has support for zip and crx generation (using Chromium; CRX... jahoti
02:00 AM Revision 81910556 (haketilo): Add build support for update URLs
The 'url' parameter can now be used to provide an update URL jahoti
02:00 AM Revision fbf0503f (haketilo): Support building CRXs
Chromium now builds CRXs rather than ZIPs when given a key. jahoti

09/25/2021

03:49 AM Feature #94 (Rejected): Add support for extension auto-updating
See
https://developer.chrome.com/docs/extensions/mv3/linux_hosting/#update
https://extensionworkshop.com/documentat...
jahoti

09/24/2021

02:00 AM Revision df07adb2 (haketilo): Add support for Chromium zips
CRX and update URL support to come jahoti
02:00 AM Revision 853d50e5 (haketilo): Normalize CLI options
Use saner defaults and (where suitable) environment variables jahoti

09/21/2021

02:00 AM Revision e7c425cc (haketilo): Add command line options (inc. build artifacts)
Add extension packaging for Mozilla and some other treats jahoti
02:00 AM Revision 59fb32a3 (haketilo): Merge branch 'master' into jahoti-update
jahoti

09/18/2021

06:19 AM Feature #90 (Closed): Make the 0.1 release
"andyprough" has offered some outlets for spreading the news at <https://trisquel.info/en/forum/announcing-haketilo-0... jahoti

09/15/2021

02:45 PM Feature #90: Make the 0.1 release
> Note: the 0.1 release is missing the default repository :/.
My fault. Updated [[Releases]].
> If you haven't ...
koszko
12:23 PM Feature #90: Make the 0.1 release
After a somewhat embarrassing length of time, I've come to the realization the script you posted doesn't actually do ... jahoti
06:49 AM Feature #90: Make the 0.1 release
**Note**: the 0.1 release is missing the default repository :/. jahoti
02:37 PM haketilo-0.1.xpi
koszko
02:37 PM haketilo-0.1.xpi.sig
koszko
02:36 PM haketilo-0.1.tar.xz
koszko
02:36 PM haketilo-0.1.tar.xz.sig
koszko
02:00 AM Revision 960363e7 (haketilo): Add default repository to default settings
jahoti

09/14/2021

11:48 PM Support #78: Investigate into how browsers handle files that are not HTML
Rough estimate of progress (it's hard to tell without knowing in advance what the solution will involve) jahoti
11:09 PM Feature #90: Make the 0.1 release
> > As a rather unimportant aside, however, we have yet to establish a clear difference between "Haketilo" and "Haket... jahoti
08:22 PM Feature #90: Make the 0.1 release
OK, it seems all that's important is ready. Documentation will never be perfect but it's already sufficiently good. I... koszko
07:20 PM Feature #90: Make the 0.1 release
In case anyone's wondering how I automatized the generation of Chromium builds with different secres, it's this scrip... koszko
04:24 PM Feature #90: Make the 0.1 release
> As a rather unimportant aside, however, we have yet to establish a clear difference between "Haketilo" and "Haketil... koszko
03:25 AM Feature #90: Make the 0.1 release
> Right, in the documentation (at the end of Mozilla installation instructions, perhaps also in some other place(s)) ... jahoti
07:52 PM haketilo-0.1.xpi
koszko
07:52 PM haketilo-0.1.xpi.sig
koszko
07:41 PM haketilo-0.1.tar.xz
koszko
07:41 PM haketilo-0.1.tar.xz.sig
koszko
07:29 PM Revision e9b6187e (haketilo): bump version to 0.1
koszko
07:28 PM Revision 212b5c8e (haketilo): use default settings that only contain a demo script (the rest is available through Hydrilla)
koszko
03:59 AM Feature #92: Replace cookie smuggling with some safer approach
> Actually, I thought about simply redirecting to an extension-packaged file. For basic functionality we only need 3 ... jahoti

09/13/2021

04:56 PM Revision 2bd35bc4 (haketilo): rename the extension to "Haketilo"
koszko
09:46 AM Feature #90: Make the 0.1 release
jahoti wrote:
> OK, the Firefox account generation/management script is attached.
Thanks a lot!
> (except on s...
koszko
09:12 AM Feature #90: Make the 0.1 release
OK, the Firefox account generation/management script is attached. Some notes:
* It depends on `librecaptcha`, `reque...
jahoti
09:01 AM Feature #90: Make the 0.1 release
> > (it's also possible they just distribute the signed extensions and package the signatures when building from sour... jahoti
08:02 AM Feature #90: Make the 0.1 release
> > Also, disrtos like Debian actually have extensions in their repositories, so there is surely some way to install ... koszko
08:25 AM Feature #92: Replace cookie smuggling with some safer approach
> That said, there are several options. Apart from the obvious approach of `data:` URLs for Chromium and `contentScri... koszko

09/12/2021

11:20 AM Feature #93 (Rejected): Elaborate on ethics in the documentation
The user manual currently contains several references to what we recommend or what the reader should be doing without... jahoti
11:13 AM Feature #90: Make the 0.1 release
I'm working through testing the Mozilla account-generation script now. I've removed the signing functionality rather ... jahoti
03:00 AM Feature #92: Replace cookie smuggling with some safer approach
It turns out Firefox did once support redirection to `data:` URLs (prior to v60, it seems), before it was accidentall... jahoti

09/11/2021

12:53 AM Feature #92: Replace cookie smuggling with some safer approach
> Jahoti, please, remind me. Why aren't we just making a synchronous AJAX call in the content script and redirecting ... jahoti
09:58 PM Feature #92: Replace cookie smuggling with some safer approach
Jahoti, please, remind me. Why aren't we just making a synchronous AJAX call in the content script and redirecting it... koszko
09:55 PM Feature #92 (Closed): Replace cookie smuggling with some safer approach
Yep, we need to find something that works. `registerContentScript()` might do the job on newer browsers (and under Ma... koszko
12:41 AM Feature #90: Make the 0.1 release
> Interesting. The flag that enables unverified installs is supposedly still supported in developer edition of Firefo... jahoti
12:51 PM Feature #90: Make the 0.1 release
Interesting. The flag that enables unverified installs is supposedly still supported in developer edition of Firefox:... koszko
12:35 PM Feature #90: Make the 0.1 release
>> Wait- is it possible to sign XPIs with our own key? If so that would be much better than relying on Mozilla.
>
>...
jahoti
12:22 PM Feature #90: Make the 0.1 release
jahoti wrote:
> Wait- is it possible to sign XPIs with our own key? If so that would be much better than relying on ...
koszko
11:54 AM Feature #90: Make the 0.1 release
Wait- is it possible to sign XPIs with our own key? If so that would be much better than relying on Mozilla.
In an...
jahoti
11:38 AM Feature #90: Make the 0.1 release
jahoti wrote:
> On that note (and your breakthrough with CRX on #13), do we want to sign releases?
Yes. And I'd l...
koszko
05:03 AM Feature #90: Make the 0.1 release
> Also, at some point we'll upload prebuilt versions of Hachette here.
On that note (and your breakthrough with CR...
jahoti
01:56 PM Revision 947fbdef (haketilo): added missing line break in options page
koszko
12:22 PM Support #75: ServiceWorkers
I unfortunately couldn't test this, as I couldn't find any test cases or understand how to set one up. jahoti
11:44 AM Support #75: ServiceWorkers
jahoti wrote:
> Somehow, it seems the biggest technical challenge for this project has become *blocking (unwanted) s...
koszko
05:15 AM Support #75: ServiceWorkers
> Ultimately, we should stop using cookies for policy smuggling, even though they initially seemed like a super good ... jahoti
12:17 PM Support #78: Investigate into how browsers handle files that are not HTML
Your most recent push seems to be working well! jahoti
05:08 AM Support #78: Investigate into how browsers handle files that are not HTML
Good point! jahoti
04:52 AM Support #78: Investigate into how browsers handle files that are not HTML
> didn't the CSP-filtering part of StreamFilter get removed anyway?
It did, although the part that remains is stil...
koszko
04:38 AM Support #78: Investigate into how browsers handle files that are not HTML
> I pushed something to koszko branch.
Rather than reply to all the commits you've made independently, I'll just n...
jahoti
12:14 PM Feature #88: [Roadmap 6][Milestone] Allow payloads to also specify CSP rules that should be used instead of the original ones served by page
I read this thread earlier today and had been meaning to reply, yet couldn't find it again- sorry!
> In the end, I...
jahoti
12:02 PM Feature #32: Process HTML files in data: URLs instead of just blocking them
> Btw, I've been unaware of that manifest key. It would be cool to utilize it for something else at some point :) Alt... jahoti
11:40 AM Feature #32: Process HTML files in data: URLs instead of just blocking them
:/
Btw, I've been unaware of that manifest key. It would be cool to utilize it for something else at some point :) A...
koszko
04:56 AM Feature #32: Process HTML files in data: URLs instead of just blocking them
> It might be possible to utilize this API:
>
> <https://developer.mozilla.org/en-US/docs/Web/API/Navigator/registe...
jahoti
11:48 AM Feature #91 (Rejected): Add an option to block HTTP "refresh"
This concerns both the HTTP header and its respective `<meta>` tag.
https://en.wikipedia.org/wiki/Meta_refresh
koszko
11:03 AM Feature #77 (Closed): Check LibreJS is compatible with this extension.
Compatibility is confirmed for IceCat 60, which is sufficient assuming there are no functional differences that would... jahoti
05:05 AM Feature #77: Check LibreJS is compatible with this extension.
Results will be added to the user documentation once obtained. jahoti
05:13 AM Feature #13: find some way not to require each chrome user to modify manifest.json
> Unfortunately, the "Google BSD license" link is dead and I cannot check which of the BSD licenses applied to that s... jahoti
04:44 AM Feature #66: Write tests
> Have you considered using UML (no, not that diagraming language, I mean User Mode Linux) to run tests inside? I'm s... jahoti

09/10/2021

10:07 PM Feature #90: Make the 0.1 release
I started documenting Hachette usage. I uploaded the screenshots I made, so if you happen to come there while I sleep... koszko
05:15 PM Feature #90: Make the 0.1 release
"allow" option, CSP behavior and URL length limits are now on `koszko` branch koszko
08:49 PM Feature #13: find some way not to require each chrome user to modify manifest.json
I found details regarding the CRX file format:
http://www.dre.vanderbilt.edu/~schmidt/android/android-4.0/external/c...
koszko
05:47 PM Support #75: ServiceWorkers
I added unregistering code on `koszko` branch. It needs testing koszko
05:46 PM Revision d658cadf (haketilo): disable service workers when scripts are blocked
koszko
05:34 PM Feature #32: Process HTML files in data: URLs instead of just blocking them
It might be possible to utilize this API:
https://developer.mozilla.org/en-US/docs/Web/API/Navigator/registerProto...
koszko
05:07 PM Feature #88: [Roadmap 6][Milestone] Allow payloads to also specify CSP rules that should be used instead of the original ones served by page
As this is somehow related, I'll write an update regarding our recent CSP change (where we are no longer modifying ex... koszko
04:50 PM Revision 5c75d744 (haketilo): Make it impossible to check "Allow native scripts" for pages with payload.
koszko
04:18 PM Revision 72cbfa74 (haketilo): limit allowed pattern lengths
koszko

09/09/2021

06:51 PM Revision ed9cc030 (haketilo): restore compatibility with IceCat 60
koszko
06:50 PM Revision 44e89d8e (haketilo): simplify CSP handling
All page's CSP rules are now removed when a payload is to be injected. When there is no payload, CSP rules are not mo... koszko
05:35 PM Support #75: ServiceWorkers
jahoti wrote:
> perhaps we could present some version of [this information](https://www.ghacks.net/2016/03/02/manage...
koszko
01:52 PM Feature #66: Write tests
Have you considered using UML (no, not that diagraming language, I mean User Mode Linux) to run tests inside? I'm sug... koszko
12:51 PM Feature #34 (Closed): improve CSP injection blocking
Can be considered done as part of #78 koszko
12:15 PM Support #78: Investigate into how browsers handle files that are not HTML
> I am going to continue with this tomorrow. Btw, I realized some mistakes (including being unaware of what I just de... koszko

09/08/2021

07:55 PM Revision e2d26bad (haketilo): Fix sanitizing of non-HTML XMLDocument's
koszko

09/07/2021

10:31 PM Support #78: Investigate into how browsers handle files that are not HTML
I now realize what is the problem with all XMLs, including SVGs. Any XML can include elements from other XML namespac... koszko
10:52 AM Support #78: Investigate into how browsers handle files that are not HTML
I suppose it's the same as with SVG, although I need to make sure it's really the case koszko

09/06/2021

12:05 AM Feature #90: Make the 0.1 release
That leaves me with 4, I suppose, which is probably just as well; the current (limited) state of the testing suite is... jahoti
08:51 PM Feature #90: Make the 0.1 release
`3`. is now ready, as noted in #78 koszko
04:54 PM Feature #90: Make the 0.1 release
Instead of implementing 2. as specified in the description, I did something else. Effect is as wanted - build.sh gene... koszko
02:39 PM Feature #90 (Closed): Make the 0.1 release
Right now what we have left to do is:
1. ~~Make it impossible to check "allow" option for page with payload, as sugg...
koszko
12:02 AM Support #78: Investigate into how browsers handle files that are not HTML
> I came up with code that should do with blocking for now. On koszko branch. Could do with more testing
Doing thi...
jahoti
08:49 PM Support #78: Investigate into how browsers handle files that are not HTML
I came up with code that should do with blocking for now. On `koszko` branch. Could do with more testing koszko
06:55 PM Support #78: Investigate into how browsers handle files that are not HTML
Now we know why NoScript included special code for SVGs and XMLs:
https://developer.mozilla.org/en-US/docs/Web/SVG/E...
koszko
02:57 PM Support #78: Investigate into how browsers handle files that are not HTML
> > While server might not be able to make user's browser execute scripts in a non-HTML page, we are. Should we restr... koszko
11:48 AM Support #78: Investigate into how browsers handle files that are not HTML
> While server might not be able to make user's browser execute scripts in a non-HTML page, we are. Should we restrai... jahoti
09:56 AM Support #78: Investigate into how browsers handle files that are not HTML
> > Now it would make sense to make content script not try to inject payload if document.contentType is not of proper... koszko
12:00 AM Feature #13: find some way not to require each chrome user to modify manifest.json
> The "key" manifest property was required by Chromium to be an actual key in PEM format
Thank you for explaining!...
jahoti
04:53 PM Feature #13: find some way not to require each chrome user to modify manifest.json
> > Wouldn't that still require each user to build the extension themselves?
>
> It would. It would just be less h...
koszko
11:45 PM Feature #28: split options_main.js into several smaller files
> Right now I can quickly make this little change you suggested since I already know that code. And you could instead... jahoti
02:20 PM Feature #28: split options_main.js into several smaller files
Discussion moved from #15
>>>>Since long-term we're not really planning to allow our scripts to run together with ...
koszko
08:45 PM Revision 704f2da0 (haketilo): re-enable sanitizing of data: URLs and also sanitize intrinsics on non-HTML pages where CSP doesn't work
koszko
04:45 PM Revision ed08ef1a (haketilo): generate Chromium unique key automatically in `build.sh'
koszko
11:41 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
> Keep in mind, however, options_main.js is currntly the most tangled script file in Hachette
Perhaps I'll start ...
jahoti
10:24 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
> > Since long-term we're not really planning to allow our scripts to run together with page's ones (i.e. "allow site... koszko
11:41 AM Feature #7: [Roadmap 34][Milestone] find some convenient way to automatically re-add intrinsic javascript
> You mean re-allowing the actual intrinsics as they appear on the page they came with?
I did, having not really t...
jahoti
10:37 AM Feature #7: [Roadmap 34][Milestone] find some convenient way to automatically re-add intrinsic javascript
> A hacky and flawed solution to this might be to simply scan the nodes and rever event-handler attribute blocking.
...
koszko
11:29 AM Support #75: ServiceWorkers
> Unfortunately, it seems a page reload is required for this to take effect.
>
> Additionally, is there a way servi...
jahoti
10:50 AM Support #75: ServiceWorkers
Unfortunately, it seems a page reload is required for this to take effect.
Additionally, is there a way service w...
koszko
09:51 AM Feature #70: [Roadmap 7][Milestone] Add facility to replace sites' original HTML with custom one
Together with this, we could allow scripts to access the original, raw HTML code of the page in question. I am mentio... koszko
02:00 AM Revision b1444d9c (haketilo): Incorporate test suite from jahoti branch
jahoti
02:00 AM Revision 5dab077b (haketilo): Replace CSP filtering with blocking
CSP headers are now blocked completely rather than modified.
Also, filtering is applied whenever a payload is injected.
jahoti

09/05/2021

10:50 AM Feature #26 (Closed): besides blocking scripts through csp, also block connections that needlessly fetch those scripts
Tentatively closed; the bug is no longer reproduceable on IceCat, LibreWolf, or Ungoogled Chromium (version to be not... jahoti
04:38 AM Feature #26: besides blocking scripts through csp, also block connections that needlessly fetch those scripts
I'll check if this is even an issue either today or in the next few days (if live scripts are never added to the acti... jahoti
05:12 AM Support #75: ServiceWorkers
The following script will deregister all service workers in a page (courtesy of <https://love2dev.com/blog/how-to-uni... jahoti
04:52 AM Feature #14: test with more browser forks (Abrowser, newest Parabola IceWeasel, LibreWolf)
> I am not so sure. Official mobile releases stopped at 38.6.0.
That complicates things. I'll see if I can find w...
jahoti
04:50 AM Feature #7: [Roadmap 34][Milestone] find some convenient way to automatically re-add intrinsic javascript
A hacky and flawed solution to this might be to simply scan the nodes and rever event-handler attribute blocking. jahoti
04:44 AM Feature #16 (Closed): create a repository to host scripts
See project:Hydrilla and the instance at [[https://api-demo.hachette-hydrilla.org]]. jahoti
04:29 AM Feature #66: Write tests
The basic infrastructure to support creating a "virtual network" in now in the `jahoti` branch, and can be used on it... jahoti
02:20 AM Feature #15: make sure page's own csp in <head> doesn't block our scripts
> If any part of Hachette can be considered infrastructure trap, it's surely this CSP stuff. Having already done so m... jahoti

09/04/2021

01:40 AM Support #78: Investigate into how browsers handle files that are not HTML
> Btw, I noticed cookies don't work on non-HTML pages. This doesn't seem to be an issue as long as we assume the conc... jahoti
09:05 PM Bug #89 (Closed): Restore, to the extent necessary, the script sanitizing functionality
Merged to `master` koszko
08:50 PM Bug #89 (Closed): Restore, to the extent necessary, the script sanitizing functionality
Sanitizing of `<script>` tags was recently dropped because it seemed sufficient to rely on CSP rules being injected. ... koszko
09:03 PM Revision 51d43685 (haketilo): fix script blocking bug under Chromium
koszko
07:36 PM Feature #88 (New): [Roadmap 6][Milestone] Allow payloads to also specify CSP rules that should be used instead of the original ones served by page
Note that this concerns CSP rules other than those for scripts. For scripts we always use a nonce
[Roadmap](/proje...
koszko
07:33 PM Bug #65 (Closed): When a site fails to load, for example due to its IP address not being found, the injected value with settings remains in the URL
Merged to `master` koszko
06:41 PM Revision 83039701 (haketilo): update documentation link in the README
koszko
05:44 PM Revision d141aada (haketilo): show appropriate message when repository returns no custom content for given URL
koszko
12:36 PM Feature #11 (Closed): add some nice styling to settings page
Merged to `master` koszko
12:35 PM Feature #15 (Closed): make sure page's own csp in <head> doesn't block our scripts
Merged to `master` koszko
12:35 PM Feature #23 (Closed): also implement support for whitelisting of non-https urls
Merged to `master` koszko
12:34 PM Feature #31 (Closed): add an option to disable script blocking globally
Merged to `master` koszko
12:34 PM Feature #49 (Closed): add some nice styling to popup
Merged to `master` koszko
12:32 PM Revision e48e20de (haketilo): merge changes before version 0.1
koszko
02:00 AM Revision 591c48a6 (haketilo): Make test suite mildly usable
Allow test/server.py to be run as a command and add some "webpages" for it. jahoti
 

Also available in: Atom