Age | Commit message (Collapse) | Author | |
---|---|---|---|
2022-01-27 | add actual payload injection functionality to new content script | Wojtek Kosior | |
2022-01-26 | add new root content script | Wojtek Kosior | |
2022-01-18 | facilitate caching repository responses in content scripts | Wojtek Kosior | |
2022-01-17 | test script blocking with and without the CSP-based approach on | Wojtek Kosior | |
2022-01-17 | move policy enforcing code to a new file, include basic test | Wojtek Kosior | |
2022-01-04 | fix license promise typo | Wojtek Kosior | |
2021-12-31 | utilize Pattern Tree to decide the policy to use and modify HTTP response ↵ | Wojtek Kosior | |
headers according to that policy This commit also enhances the build script so that preprocessor conditionals can now use operators '&&' and '||'. The features being developed are not yet included in the actual Haketilo build. Some of the new source files contain similar functionality to other ones already existing in the source tree. At some point the latter will be removed. | |||
2021-12-22 | reworked build system; added missing license notices | Wojtek Kosior | |
2021-12-03 | merge `master` (license notices) and `koszko` (v1.0 development) | Wojtek Kosior | |
2021-11-20 | replace cookies with synchronous XmlHttpRequest as policy smuggling method. | Wojtek Kosior | |
Note: this breaks Mozilla port of Haketilo. Synchronous XmlHttpRequest doesn't work as well there. This will be fixed with dynamically-registered content scripts later. | |||
2021-10-30 | Fix license notices on JS and SH files | jahoti | |
Other files have been left, as no model notice is available | |||
2021-09-13 | rename the extension to "Haketilo" | Wojtek Kosior | |
2021-09-10 | disable service workers when scripts are blocked | Wojtek Kosior | |
2021-09-09 | restore compatibility with IceCat 60 | Wojtek Kosior | |
2021-09-09 | simplify CSP handling | Wojtek Kosior | |
All page's CSP rules are now removed when a payload is to be injected. When there is no payload, CSP rules are not modified but only supplemented with Hachette's own. | |||
2021-09-08 | Fix sanitizing of non-HTML XMLDocument's | Wojtek Kosior | |
2021-09-06 | re-enable sanitizing of data: URLs and also sanitize intrinsics on non-HTML ↵ | Wojtek Kosior | |
pages where CSP doesn't work | |||
2021-09-04 | fix script blocking bug under Chromium | Wojtek Kosior | |
2021-09-04 | merge changes before version 0.1 | Wojtek Kosior | |
2021-09-03 | disable payload injection on non-html pages | Wojtek Kosior | |
2021-09-02 | implement rethinked <meta> tags sanitizing approach | Wojtek Kosior | |
This has not been tested yet. Additionally, functionality for blocking of `data:' urls needs to be re-enabled. | |||
2021-09-02 | enable toggling of global script blocking policy\n\nThis commit also ↵ | Wojtek Kosior | |
introduces `light_storage' module which is later going to replace the storage code we use right now.\nAlso included is a hack to properly display scrollbars under Mozilla (needs testing on newer Mozilla browsers). | |||
2021-08-27 | add support for `ftp://' protocol | Wojtek Kosior | |
2021-08-27 | enable whitelisting of `file://' protocol\n\nThis commit additionally also ↵ | Wojtek Kosior | |
changes the semantics of triple asterisk wildcard in URL path. | |||
2021-08-26 | improve signing\n\nSignature timestamp is now handled in a saner way. Sha256 ↵ | Wojtek Kosior | |
implementation is no longer pulled in contexts that don't require it. | |||
2021-08-23 | use StreamFilter under Mozilla to prevent csp <meta> tags from blocking our ↵ | Wojtek Kosior | |
injected scripts | |||
2021-08-20 | sanitize `<meta>' tags containing CSP rules under Chromium | Wojtek Kosior | |
This commit adds a mechanism of hijacking document when it loads and injecting sanitized nodes to the DOM from the level of content script. | |||
2021-08-18 | remove unneeded policy-related cosole messages; restore IceCat 60 compatibility | Wojtek Kosior | |
2021-08-18 | implement smuggling via cookies instead of URL | Wojtek Kosior | |
2021-08-14 | merge facility to install from Hydrilla | Wojtek Kosior | |
2021-08-14 | Revert changes to content/main.js to commit 25817b68c* | jahoti | |
It turns out modifying the CSP headers in meta tags has no effect. | |||
2021-08-06 | Facilitate installation of scripts from the repository | Wojtek Kosior | |
This commit includes: * removal of page_info_server * running of storage client in popup context * extraction of some common CSS to a separate file * extraction of scripts import view to a separate file * addition of a facility to conveniently clone complex structures from DOM (in DOM_helpers.js) * addition of hydrilla repo url to default settings * other minor changes and of course changes related to the actual installation of scripts from the repo | |||
2021-08-02 | [UNTESTED- will test] Add filtering for http-equiv CSP headers | jahoti | |
2021-07-26 | Remove unnecessary imports of url_item and add a CSP header-parsing function | jahoti | |
The parsing function isn't used yet; however, it will eventually be as a less destructive alternative to handling headers as indivisible units. | |||
2021-07-21 | add ability to query page content from repo and display it in the popup | Wojtek Kosior | |
2021-07-20 | Merge rebranding to "Hachette" | Wojtek Kosior | |
2021-07-20 | Merge commit 'ecb787046271de708b94da70240713e725299d86' | Wojtek Kosior | |
2021-07-19 | Refer to the extension consistently as "Hachette" and remove TODOS.org | jahoti | |
from the copyright file | |||
2021-07-18 | Streamline and harden unique values/settings | jahoti | |
The base URL is now included in the settings. The unique value no longer uses it directly, as it is included by virtue of the settings; however, the number of full hours since the epoch (UTC) is now incorporated. | |||
2021-07-17 | Revamp signatures and break header caching on FF | jahoti | |
Signatures, instead of consisting of the secure salt followed by the unique value generated from the URL, are now the unique value generated from the policy value (which will follow them) succeeded by the URL. CSP headers are now _always_ cleared on FF, regardless of whether the page is whitelisted or not. This means whitelisting takes effect on page reload, rather than only when caching occurs. However, it obviously presents security issues; refinment will occur in a future commit. | |||
2021-07-16 | Use URL-based policy smuggling | jahoti | |
Increase the power of URL-based smuggling by making it (effectively) compulsory in all cases and adapting a <salt><unique value><JSON-encoded settings> structure. While the details still need to be worked out, the potential for future expansion is there. | |||
2021-07-12 | merge jahoti into master | Wojtek Kosior | |
2021-07-12 | Stop using the nonce consistently for a URL | jahoti | |
Nonces are now randomly generated, either in the page (for non-HTTP(S) pages) or by a background module which stores them by tab and frame IDs. In order to support the increased variance in nonce-generating methods and allow them to be loaded from the background, handle_page_actions is now invoked separately according to (non-)blocking mechanism. | |||
2021-07-11 | Remove redundant nonce-based filtering in the script suppressor | jahoti | |
2021-07-06 | show some settings of the current page in the popup | Wojtek Kosior | |
2021-07-02 | move parsing of url with targets to misc.js | Wojtek Kosior | |
2021-06-30 | refactor 3 miscellaneous fnctionalities to a their single own file | Wojtek Kosior | |
2021-06-30 | emply an sh-based build system; make some changes to blocking | Wojtek Kosior | |
2021-06-28 | Index two new files intended for the previous commit. | jahoti | |
2021-06-28 | License script-blocking techniques from NoScript in machine-readable format. | jahoti | |
In-page blocking now works on Firefox, and JavaScript/data- URLs are properly blocked to ensure no JavaScript leaks in through backdoors. Blocking of HTML/XML data: urls should be refined (eventually) to align with current practice for pages in general. Also, script-blocking is now filtered by nonce, making it possible (albeit perhaps not desirable) to inject scripts before the DOM is complete. |