gorhill / httpswitchboard Goto Github PK

Not a feature I would use, but looking at typical user who doesn't like constantly whitelisting at least the top page, this would be useful to them, and potentially prevent them from giving up on using a script blocker altogether. Even allowing just the hostname of top page helps in blocking a lot of useless stuff.

When these types are preemptively blocked, this mean they won't generate web requests, which means their counts will be underreported in the matrix.

This happens because the tabs are loaded after the extension, but before the whitelist/blacklis loaded (Chromium decides, I don't). Solution is to force a reload of tabs -- and intelligently if possible, that is, only reload tabs which are toggled in part or in whole by the newly loaded lists.

Request URLs are responsible for a lot of allocation/deallocation, so saving space on these should help I believe.

Roughly, URL is decomposed in nodes, i.e.
protocol, hostname, path, leaf (the most likely mutated)

A unique runtime id is assigned to each node when they first appear, or the id is looked if the node already exists (except for the leaf portion of the URL, which is rather pointless to compact given its likely uniqueness)

The "packed" URL consist of a concatenation of the runtime id of each node, in order of occurrence. The runtime id itself could be base 64 rather than plain hex conversion.

Example:

Currently:

http://cdn.arstechnica.net/wp-content/themes/arstechnica/assets/images/mobile.png#image
http://cdn.arstechnica.net/wp-content/themes/arstechnica/assets/images/nav-house-sprite.png#image
http://cdn.arstechnica.net/wp-content/themes/arstechnica/assets/images/orange-arrow-bottom-right.png#image
http://cdn.arstechnica.net/wp-content/themes/arstechnica/assets/images/search.png#image
...

After (say using plain hex):

1 F 234 mobile.png#image
1 F 234 nav-house-sprite.png#image
1 F 234 orange-arrow-bottom-right.png#image
1 F 234 search.png#image
...

Where above 1 is http://, F is cdn.arstechnica.net, 234 is /wp-content/themes/arstechnica/assets/images/

Something to ponder, as per user feedback in Chrome store.

Is it possible to make it so selections for the "Detailed" list under "Statistics and detailed net requests" are saved? for example, I usually only want to see Blocked, Scripts & Frames, but I have to clear the other checkboxes every time I view it.

This can be really annoying..

Doesn't seem to work.

I count properly the data source of the plugin, however, the plugins themselves are embedded in the main page, so they should be also counted for the main pages. Not counting them in the main page prevent the main page to reload when user changes the white/blacklist status of these plugins.

Example:

For http://www.newscientist.com/, matrix reports one plugin at www.youtube.com.

However, plugin itself sits in http://www.newscientist.com/, it is only the data source of the plugin which is at www.youtube.com. I need to report that one plugin also for www.newscientist.com.

Go to https://github.com (or any other https website)

Whitelist it.

Go to chrome://settings/contentExceptions#javascript

"github.com"

It should be "https://github.com".

This may be annoying so perhaps it would make sense to have matching be an option to be enabled by users?

Thanks.

Need to offer encrypting of whitelist, so that users are less worried using Google syncing features.

This looks useful: https://github.com/bitwiseshiftleft/sjcl/blob/master/demo/example.js

For those times you just want to whitelist temporarily a site. It is a basic blocker feature. Need to figure best way to implement this without complicating matrix interaction.

One idea is to toggle whitelist/graylist when user click on upper half of cell, toggle blacklist/graylist when user click on lower half of cell. Would need to provide a subtle visual though, to avoid creating confusion.

Need to think about how the best UI to support this feature, without destroying/bloating the matrix paradigm.

As discussed in #8. Cookies are really blocked by HTTPSB, it's just that chromium need to be told about it.

Test case:
http://acid3.acidtests.org/

This is probably due to the fact that chrome.contentSettings.javascript.set() is asynchronous, which means the preventing of inline javascript is not guaranteed to take effect before the page is processed/executed by the browser.

Until there is a fix (chromium developers might need to come up with something):

[Edit 2014-05-26: Some people are still using this entry as a reference. Since issue #35 has been fixed, the "workaround" below is no longer needed, it is has been rendered irrelevant with the fix.]

Workaround:

- Go to chrome/chromium "Settings".
- You might need to click "Show advanced settings".
- In "Privacy" section, click "Content settings..." button.
- In the "Javascript" section, click "Do not allow any site to run JavaScript".

HTTP Switchboard will continue to take care to enable javascript for whitelisted site.

Open Global info, close Global info page.
Memory leaks, as seen when using chromium timeline tool.

So far investigation tells me the problem in within Tempo.js. That's unfortunate, it was really handy.

Currently precedence is:

1. specific type/specific domain
2. specific domain
3. specific type
4. master switch

Which prevent from being able to generally blacklist say, "frames" or "cookies" or whatever for whitelisted domains, unless done expressly through the matrix. I don't like frames or cookies, so I wish I could just blacklist them all the times even for whitelisted sites.

Need more thought on how to provide this without adding complication to the user.

One solution I presently consider is to have a settings which allow a user to auto-blacklists a specific type whenever he/she whitelists a domain. So matrix interaction stays the same, except that paranoid (in a good way) users still have the ability to choose to never trust "frames" or "cookies" or whatever else even for whitelisted domains without further matrix interaction.

Given the news that php.net was hacked with a malware which worked through an iframe (this is common for malware), this feature which I was considering since a while appears to be a must-have now.

http://arstechnica.com/security/2013/10/hackers-compromise-official-php-website-infect-visitors-with-malware/

So it will be like that:

• Blacklisted types have precedence over whitelisted hostnames (new behavior)
• Blacklisted hostnames have precedence over whitelisted types (stays same as current)

This is a change in behavior. It is a good idea to blacklist iframes in general, but this choice is currently meaningless when whitelisting a specific hostname, as the hostname currently has always priority. So the basic logic will be simple enough to not cause confusion (hopefully) in user's mind:

Whatever is blacklisted by inheritance has precedence over what is whitelisted by inheritance. (hopefully I won't find annoying side effect complication with this new behavior.)

Scenario:

• Go to youtube.com
• Find and play a video
• Open popup menu
• Position mouse over one of the cell in the header row
• Wait

Matrix will disappear eventually when matrix update because new net traffic was detected.

This happens because I count the divs in the cell menu (padlock etc) as a header cell entry. Need to filter using .matCell.

Still need to investigate, but it could be when opening the "Stats" page. Investigate.

Timeline => Record shows extra document objects.

So that if someone stumble on a pretty good third party blacklist, they can import it.

Sounds like a good idea to be able to see raw request -- although this is more useful for technical people.

When using the "Undo all temporary changes" button in the popup menu.

Since the new release, if you click on the icon to look at the items being blocked, allowed or whatnot, even if you don't make any changes, it results in the reload of ALL open tabs and this is very problematic. You can't check the items without having this global reload occur which is disruptive, especially on tabs that are in the middle of something and results in re-submissions, interruptions, and loss of content.

1. This is a huge bug, there should be no global all tab reload when no settings have been changes simply because you clicked on the icon to see what's there.

2. Even if there is a change, only those tabs who are affected by that specific change in permission should be automatically reloaded, not the others.

3. Also, giving permission to a resource does not enable all the rights for the tab (such as the scripting and still says disabled) and even force reloading the tab does nothing to fix that, you have to open the link in another tab for it to work right, why is that?

Because initMatrixStats() can't extract a hostname from a data URL. Proper fix is to use the hostname of the page URL for data URL.

Currently shows only a handful of blacklisted sites, while the real count is around 28,000 blacklisted sites. These sites are really blocked, it's only the reporting which is broken (with some latest changes.)

Will fix this asap so that people don't panic...

In the popup menu:

• Go to a site which are known to contains preset blacklisted domain names
• Whitelist one such domain
• Click padlock to make this cell permanently whitelisted
• Click the "Undo all temprary changes" icon

Result:
The permanent whitelist status of the cell (which is part of a preset blacklist) is not respected.

Fix is to reverse the order the lists are restored.

Currently all requests are recorded now (as seen in the "Geeky stats" section of the "Stats" page.)

Sometimes, you might not care about these detailed requests (just hostnames is utlimately only was is needed for the matrix UI), and on some pages they might amount to a lot of memory consumed (like when playing youtube videos).

So think of a way to offer this switch, also on a per-page basis probably with next major update which will support per-page permissions.

When trying to install an extension, Chrome store sends a request looking like this when user press "install" button:

other https://lh4.googleusercontent.com/UJOWaD1RWOFPtiiCILdm1TT0qaPQc8YuVstJd9Pbkvgeaa4FIMCULDjq0Lbm6Ka_LT5cQDQqM8k=s128-h128-e365

As seen in Stats page. If this behind-the-scene request is blocked (because user chose to block googleusercontent.com hostname), Chrome store reports:

An error has occurred
There was a problem adding the item to Chrome. Please refresh the page and try again.

Somehow only one of the (current) two remote lists is locally saved, while the other is not -- even though according to console.log it is...

User might want to see only domain names which had content blocked, or only the whitelisted ones, etc. etc.

Examples, look at the number of rows...

• http://resources.infosecinstitute.com/owned-by-chrome-extensions/
• http://www.tomshardware.com/ when tomshardware.com and bestofmedia.com are whitelisted

Hi, I just install the chrome extension and it reversed all my previous setting. Sites that I trust (Malwarebytes, Bleeping Computer, et al.) have had all of the settings reverse from allow to block. Also, some sites that I have conditional 'Ask Me' (I like the site but am not completely convinced to trust) were granted full permissions.

Any ideas? Until this can be resolved I've removed and WILL NOT recommend.

As seen in this snapshot:

Really need this at this point to validate HTTPSB is doing what is says it is doing. So first:

• Test scripts (inline and external) are disabled
• Test cookies are not returned

Changed title from "Support localization" to more accurate "Localization issues".

As in http://labs.lachisterablanca.com/poc/bypass/index.php?%3Cscript%3Ealert(%27XSS%20WITH%20WHITESPACES%27);%3C/script%3E=anyValue

This could be useful also if users want to export their lists, or cleanup their lists (by providing ability to remove entries).

I have pretty poor eye site and the boxes are a bit small. Having a feature that allows them to maybe grow 50-75% in size would be really nice.

All net traffic can be seen in details on the info page, and user can select a specific page to see the traffic for that page.

According to Google Chrome Privacy Whitepaper, the browser may send requests depending on user settings like default search engine, malware and phishing protection, etc.

These net requests are not send as originating from any opened tab in the browser, so in order to enable the user to see the details of these requests, have a permanent stats recorder for that kind of request, so that user can inspect them in the info pane.

I shouldn't have inverted the tests before checking changes for issue #29.

Just like NoScript does -- one of its best feature.

I have no idea of feasability yet.

Problem is, https://chrome.google.com/extensions disable extensions, but not before HTTP Switchboard disabled javascript for the site, since it is not out-of-the box whitelisted. Result: user cannot whitelist site since extension is disabled by the site.

This happens only when using an external link to the store (works fine from the "new tab").

As the project is growing, this is getting out of control.

A force reload fixed the problem. Is there something I don't know about update? I am assuming the extension is fully reloaded. Forcing a reload of the extension fixed the problem.

To speed up things, reuse existing rows when matrix is updated while opened.

Please see url: http://www.teamradio.ca/canucks/

Click on "Listen Live" , media player pops up but it won't play audio no matter what I whitelist.

This happens because there is a call to $('#matrix-list').empty() in makeMenu(), and if the cell menu is attached, it ends up also being removed. Fix is to detach the menu before calling empty()

Example:

                  fastly.net
              ssl.fastly.net
       global.ssl.fastly.net
github.global.ssl.fastly.net

The one that was really requested was github.global.ssl.fastly.net, so provide distinctive visual for this one.