1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
TODO:
- parallelize fetching of remote scripts
- allow specifying whether a script occurring mutiple times directly
or indirectly in a bag should be included multiple times or once
- make it possible to provide backup urls for remote scripts
- make it possible to cache remote scripts
- optimize url querying
- make it possible to automatically download page's served scripts and save them (of course, this by itself -- CRUCIAL
would give little benefit, but it will make it easy to modify this set of scripts - useful, if some of
those scripts are already free, as is often the case)
- also, find some convenient way to automatically re-add "on" events ("onclick" & friends)
- add some good, sane error handling
- get rid of those warnings and exceptions in console (many are not even related to this extension;
who invented this thing?) (gecko-only)
- make page settings easily and conveniently editable in popup -- CRUCIAL
- in popup make it possible to edit both main frame page's
settings and settings for pages that currently happen to
live in iframes
- add some nice styling to settings page
- make script bag components re-orderable (via drag&drop in options page) -- CRUCIAL
- find some way not to require each chrome user to modify manifest.json
- test with more browser forks (Abrowser, Parabola IceWeasel, LibreWolf)
- make sure page's own csp in <head> doesn't block our scripts
- create a repository to host scripts
- enable the extension to automatically fetch script substitutes from the repo
- make it possible to inject scripts to arbitrary places in DOM
- make script blocking code omit those scripts
- check if prerendering has to be blocked -- CRUCIAL
- block prefetch
- rearrange files in extension
- supplement the build script with a makefile, also produce zipped arifacts
- perform never-ending refactoring of already-written code
- also implement support for whitelisting of non-https urls
- validate data entered in settings
- stop always using the same script nonce on given https(s) site (this
improvement seems to be unachievable in case of other protocols)
- besides blocking scripts through csp, also block connections that needlessly
fetch those scripts
- make extension's all html files proper XHTML
- split options_main.js into several smaller files
- validate settings data on import
- rename the extension to something good
- find some good hatchet icon and rename the extension to "Hachette"
(unless someone suggests another good name before we do so)
- add an option to disable script blocking globally
- Add support to settings_query for non-standard URLs
(e.g. file:// and ftp://)
- Process HTML files in data: URLs instead of just blocking them
- improve CSP injection for pathological cases like <script> before <head>
- Fix FF script blocking and whitelisting (FF seems to be by itself repeatedly
injecting CSP headers that were injected once, this makes it impossible to
whielist site that was unwhitelisted before; FF also seems to be removing our
injected script's nonce for no reason 🙁)
DONE:
- find out if we can successfully use CSP to block file:// under FF -- DONE 2021-06-30
- come up with own simple DSL to manage imports/exports -- DONE 2021-06-30
- add some mechanism to build the extension -- DONE 2021-06-30
- see if browsers based on pre-quantum FF support enough of -- DONE 2021-06-29
WebExtensions for easy porting (no, those we know dropped the support)
- make blocking more thorough -- DONE 2021-06-28
- mind the data: urls -- CRUCIAL
- employ copyright file in Debian format -- DONE 2021-06-25
- find out what causes storage sometimes not to get initialized under IceCat 60 -- DONE 2021-06-23
- make it possible to export page settings in some format -- DONE 2021-06-19
- make it possible to use wildcard urls in settings -- DONE 2021-05-14
- port to gecko-based browsers -- DONE 2021-05-13
- find a way to additionally block all other scripts using CSP -- DONE 2021-05-13
- only allow a single injection payload for page -- DONE 2021-05-13
- rename "bundles" to "bags" to avoid confusion with Web Bundles -- DONE 2021-05-12
- use non-predictable value in place of "myext-allow", utilizing hashes -- DONE 2021-05-12
- stop using modules (not available on all browsers) -- DONE 2021-05-12
- clean up the remnants of LibreJS -- DONE 2021-05-12
- implement whitelisting -- DONE 2021-05-07
- find way to also block scripts in non-http pages (e.g. file://) -- DONE 2021-05-07 (via content scripts, may not be perfect)
(NoScript seems to be doing this through CSP)
- make page settings easily and conveniently editable in a separate window/tab -- DONE 2021-05-05
- replace comparisons with stricter ones (e.g. do `if(foo === undefined)` instead of `if(!foo)`) -- DONE
- make local storage safe (serialize storage accesses in background script) -- DONE
- split main.js into multiple files -- DONE 2021-01-05
- make it possible to store entire script files in storage (not just links) -- DONE 2021-01-05
- make it possible to re-use the same script or set of scripts multiple times -- DONE 2021-01-05
|
