aboutsummaryrefslogtreecommitdiff
path: root/common
AgeCommit message (Collapse)Author
2021-12-22reworked build system; added missing license noticesWojtek Kosior
2021-12-16facilitate tracking of IndexedDB item store contentsWojtek Kosior
2021-12-15facilitate mocking imported valuesWojtek Kosior
2021-12-14facilitate broadcasting messages to different execution contexts within the ↵Wojtek Kosior
webextension
2021-12-13add `is_object_empty` utility functionWojtek Kosior
2021-12-10improve IndexedDB useWojtek Kosior
2021-12-08facilitate initialization of IndexedDB for use by HaketiloWojtek Kosior
2021-12-04finish implementing more efficient querying of URL patternsWojtek Kosior
The algorithm is implemented and tested. However, it is yet to be hooked into the actual extension.
2021-12-03merge `master` (license notices) and `koszko` (v1.0 development)Wojtek Kosior
2021-12-03start implementing more efficient querying of URL patternsWojtek Kosior
2021-12-01improve unit testing approachWojtek Kosior
Unit tests were moved to their own subdirectory. Fixtures common to many unit tests were moved to test/unit/conftest.py. A facility to execute scripts in page's global scope was added. A workaround was employed to present information about errors in injected scripts. Sample unit tests for regexes in common/patterns.js were added.
2021-11-30rewrite parts of build script in awkWojtek Kosior
2021-11-20replace cookies with synchronous XmlHttpRequest as policy smuggling method.Wojtek Kosior
Note: this breaks Mozilla port of Haketilo. Synchronous XmlHttpRequest doesn't work as well there. This will be fixed with dynamically-registered content scripts later.
2021-10-30Fix license notices on JS and SH filesjahoti
Other files have been left, as no model notice is available
2021-09-13rename the extension to "Haketilo"Wojtek Kosior
2021-09-10limit allowed pattern lengthsWojtek Kosior
2021-09-09simplify CSP handlingWojtek Kosior
All page's CSP rules are now removed when a payload is to be injected. When there is no payload, CSP rules are not modified but only supplemented with Hachette's own.
2021-09-08Fix sanitizing of non-HTML XMLDocument'sWojtek Kosior
2021-09-06generate Chromium unique key automatically in `build.sh'Wojtek Kosior
2021-09-04merge changes before version 0.1Wojtek Kosior
2021-09-02implement rethinked <meta> tags sanitizing approachWojtek Kosior
This has not been tested yet. Additionally, functionality for blocking of `data:' urls needs to be re-enabled.
2021-09-02enable toggling of global script blocking policy\n\nThis commit also ↵Wojtek Kosior
introduces `light_storage' module which is later going to replace the storage code we use right now.\nAlso included is a hack to properly display scrollbars under Mozilla (needs testing on newer Mozilla browsers).
2021-08-27put simplest, asynchronous local storage operations in a separate fileWojtek Kosior
2021-08-27add support for `ftp://' protocolWojtek Kosior
2021-08-27enable whitelisting of `file://' protocol\n\nThis commit additionally also ↵Wojtek Kosior
changes the semantics of triple asterisk wildcard in URL path.
2021-08-26improve signing\n\nSignature timestamp is now handled in a saner way. Sha256 ↵Wojtek Kosior
implementation is no longer pulled in contexts that don't require it.
2021-08-20sanitize `<meta>' tags containing CSP rules under ChromiumWojtek Kosior
This commit adds a mechanism of hijacking document when it loads and injecting sanitized nodes to the DOM from the level of content script.
2021-08-18remove unneeded policy-related cosole messages; restore IceCat 60 compatibilityWojtek Kosior
2021-08-18implement smuggling via cookies instead of URLWojtek Kosior
2021-08-14merge facility to install from HydrillaWojtek Kosior
2021-08-14merge csp-PoCWojtek Kosior
2021-08-06Facilitate installation of scripts from the repositoryWojtek Kosior
This commit includes: * removal of page_info_server * running of storage client in popup context * extraction of some common CSS to a separate file * extraction of scripts import view to a separate file * addition of a facility to conveniently clone complex structures from DOM (in DOM_helpers.js) * addition of hydrilla repo url to default settings * other minor changes and of course changes related to the actual installation of scripts from the repo
2021-08-04make settings_query.js use storage object passed as an argumentWojtek Kosior
2021-08-02[UNTESTED- will test] Add filtering for http-equiv CSP headersjahoti
2021-07-27validate settings on importWojtek Kosior
2021-07-26provide a facility to sanitize externally-obtained JSONWojtek Kosior
2021-07-26Fix some bugs in the refined CSP handlingjahoti
2021-07-26Remove unnecessary imports of url_item and add a CSP header-parsing functionjahoti
The parsing function isn't used yet; however, it will eventually be as a less destructive alternative to handling headers as indivisible units.
2021-07-23extract observables implementation from storage.jsWojtek Kosior
2021-07-21add ability to query page content from repo and display it in the popupWojtek Kosior
2021-07-21store repository URLs in settingsWojtek Kosior
2021-07-20Merge rebranding to "Hachette"Wojtek Kosior
2021-07-20fix page info server bugsWojtek Kosior
2021-07-20Merge commit 'ecb787046271de708b94da70240713e725299d86'Wojtek Kosior
2021-07-19Refer to the extension consistently as "Hachette" and remove TODOS.orgjahoti
from the copyright file
2021-07-18Streamline and harden unique values/settingsjahoti
The base URL is now included in the settings. The unique value no longer uses it directly, as it is included by virtue of the settings; however, the number of full hours since the epoch (UTC) is now incorporated.
2021-07-17Revamp signatures and break header caching on FFjahoti
Signatures, instead of consisting of the secure salt followed by the unique value generated from the URL, are now the unique value generated from the policy value (which will follow them) succeeded by the URL. CSP headers are now _always_ cleared on FF, regardless of whether the page is whitelisted or not. This means whitelisting takes effect on page reload, rather than only when caching occurs. However, it obviously presents security issues; refinment will occur in a future commit.
2021-07-16Use URL-based policy smugglingjahoti
Increase the power of URL-based smuggling by making it (effectively) compulsory in all cases and adapting a <salt><unique value><JSON-encoded settings> structure. While the details still need to be worked out, the potential for future expansion is there.
2021-07-12Stop using the nonce consistently for a URLjahoti
Nonces are now randomly generated, either in the page (for non-HTTP(S) pages) or by a background module which stores them by tab and frame IDs. In order to support the increased variance in nonce-generating methods and allow them to be loaded from the background, handle_page_actions is now invoked separately according to (non-)blocking mechanism.
2021-07-11Integrate browser.js into exports_init.js, and streamline the resultjahoti