make popup always show information about the main frame
fix SVG script blocking
remove unneeded import in policy_enforcing.js
force tags
prevent injected scripts from executing out of order
add more tests for CORS bypassing feature
allow injected scripts to bypass CORS using provided API
prepare for exposing APIs to injected scripts
serialize and deserialize entire Response object when relaying fetch() calls to other contexts using sendMessage
improvement to also properly sanitize intrinsics in XML documents under older browsers (IceCat 60)
improve script blocking in non-HTML documents (XML)
fix setting of 'blocked-blocked<...>-' attributes and add tests
for () loop styling
fix setting of 'blocked-' attributes when blocking intrinsic event handlers
prepend all generated console messages with 'Haketilo:'
fix comment typo
inject scripts to pages utilizing blob: URLs
restore chromium support
support Parabola's Iceweasel in tests
make Haketilo buildable again (for Mozilla)
How cool it is to throw away 5755 lines of code...
add actual payload injection functionality to new content script
add new root content script
facilitate caching repository responses in content scripts
test script blocking with and without the CSP-based approach on
move policy enforcing code to a new file, include basic test
fix license promise typo
utilize Pattern Tree to decide the policy to use and modify HTTP response headers according to that policy
This commit also enhances the build script so that preprocessor conditionals can now use operators '&&' and '||'. The features being developed are not yet included in the actual Haketilo build....
reworked build system; added missing license notices
merge master (license notices) and koszko (v1.0 development)
master
koszko
replace cookies with synchronous XmlHttpRequest as policy smuggling method.
Note: this breaks Mozilla port of Haketilo. Synchronous XmlHttpRequest doesn't work as well there. This will be fixed with dynamically-registered content scripts later.
Fix license notices on JS and SH files
Other files have been left, as no model notice is available
rename the extension to "Haketilo"
disable service workers when scripts are blocked
restore compatibility with IceCat 60
simplify CSP handling
All page's CSP rules are now removed when a payload is to be injected. When there is no payload, CSP rules are not modified but only supplemented with Hachette's own.
Fix sanitizing of non-HTML XMLDocument's
re-enable sanitizing of data: URLs and also sanitize intrinsics on non-HTML pages where CSP doesn't work
fix script blocking bug under Chromium
merge changes before version 0.1
disable payload injection on non-html pages
implement rethinked tags sanitizing approach
This has not been tested yet. Additionally, functionality for blocking of `data:' urls needs to be re-enabled.
enable toggling of global script blocking policy\n\nThis commit also introduces `light_storage' module which is later going to replace the storage code we use right now.\nAlso included is a hack to properly display scrollbars under Mozilla (needs testing on newer Mozilla browsers).
add support for `ftp://' protocol
enable whitelisting of `file://' protocol\n\nThis commit additionally also changes the semantics of triple asterisk wildcard in URL path.
improve signing\n\nSignature timestamp is now handled in a saner way. Sha256 implementation is no longer pulled in contexts that don't require it.
use StreamFilter under Mozilla to prevent csp tags from blocking our injected scripts
sanitize `' tags containing CSP rules under Chromium
This commit adds a mechanism of hijacking document when it loads and injecting sanitized nodes to the DOM from the level of content script.
remove unneeded policy-related cosole messages; restore IceCat 60 compatibility
implement smuggling via cookies instead of URL
merge facility to install from Hydrilla
Revert changes to content/main.js to commit 25817b68c*
It turns out modifying the CSP headers in meta tags has no effect.
Facilitate installation of scripts from the repository
This commit includes:
[UNTESTED- will test] Add filtering for http-equiv CSP headers
Remove unnecessary imports of url_item and add a CSP header-parsing function
The parsing function isn't used yet; however, it will eventually be as a less destructive alternative to handling headers as indivisible units.
add ability to query page content from repo and display it in the popup
Merge rebranding to "Hachette"
Merge commit 'ecb787046271de708b94da70240713e725299d86'
Refer to the extension consistently as "Hachette" and remove TODOS.org from the copyright file
Streamline and harden unique values/settings
The base URL is now included in the settings. The unique value no longer uses it directly, as it is included by virtue of the settings; however, the number of full hours since the epoch (UTC) is now incorporated.
Revamp signatures and break header caching on FF
Signatures, instead of consisting of the secure salt followed by the unique value generated from the URL, are now the unique value generated from the policy value (which will follow them) succeeded by the URL....
Use URL-based policy smuggling
Increase the power of URL-based smuggling by making it (effectively) compulsory in all cases and adapting a structure. While the details still need to be worked out, the potential for future expansion is there.
merge jahoti into master
Stop using the nonce consistently for a URL
Nonces are now randomly generated, either in the page (for non-HTTP(S) pages) or by a background module which stores them by tab and frame IDs. In order to support the increased variance in nonce-generating methods and allow them to...
Remove redundant nonce-based filtering in the script suppressor
show some settings of the current page in the popup
move parsing of url with targets to misc.js
refactor 3 miscellaneous fnctionalities to a their single own file
emply an sh-based build system; make some changes to blocking
Index two new files intended for the previous commit.
License script-blocking techniques from NoScript in machine-readable format.
In-page blocking now works on Firefox, and JavaScript/data- URLs are properly blocked to ensure no JavaScript leaks in through backdoors. Blocking of HTML/XML data: urls should be refined (eventually) to align with current practice for...
gather all copyright info in 'copyright' file
when possible inject CSP as http(s) header using webRequest instead of adding a tag
change licenses
utilize CSP for blocking
use unique hashes when smuggling whitelist setting
stop using js modules
initial commit