aboutsummaryrefslogtreecommitdiff
{#
SPDX-License-Identifier: GPL-3.0-or-later OR CC-BY-SA-4.0

Documentation page describing Haketilo popup.

This file is part of Hydrilla&Haketilo.

Copyright (C) 2022 Wojtek Kosior

Dual licensed under
* GNU General Public License v3.0 or later and
* Creative Commons Attribution Share Alike 4.0 International.

You can choose to use either of these licenses or both.


I, Wojtek Kosior, thereby promise not to sue for violation of this
file's licenses. Although I request that you do not make use of this
code in a proprietary work, I am not going to enforce this in court.
#}
{% extends "doc_base.html.jinja" %}

{% block title %} Popup {% endblock %}

{% block main %}
  {{ big_heading('Haketilo popup') }}

  {% call section() %}
    {% call paragraph() %}
      Taking inspiration from user interface features of browser extensions,
      Haketilo also offers a popup window for quick interaction with the
      user. For technical reasons, the popup is presented as part of the web
      page and behaves slightly differently from those some users might have
      found in similar tools.
    {% endcall %}
  {% endcall %}

  {% call section() %}
    {{ medium_heading('Operating') }}

    {% call paragraph() %}
      The popup dialog can be opened by typing big letters "HKT" anywhere on the
      page. It then presents some basic information about the handling of
      current URL. It also allows the user quickly define new
      {{ doc_page_link('rules', 'script_blocking') }} or
      {{ doc_page_link('payloads', 'packages') }} for it. As of Haketilo 3.0,
      however, the actual configuration is not performed from the popup itself
      but rather a relevant Haketilo rule/payload definition page is opened in a
      new tab.
    {% endcall %}

    {% call paragraph() %}
      The dialog can be closed by clicking anywhere on the darker area around
      it. It can then be reopened by typing "HKT" again.
    {% endcall %}
  {% endcall %}

  {% call section() %}
    {{ medium_heading('Enabling/disabling') }}

    {% call paragraph() %}
      Popup is unavailable by default on Haketilo special sites including
      <code>https://hkt.mitm.it</code>. It can also be disabled independently on
    {% endcall %}

    {% call unordered_list() %}
      {% call list_entry() %}
        pages with JS allowed,
      {% endcall %}
      {% call list_entry() %}
        pages with JS blocked and
      {% endcall %}
      {% call list_entry() %}
        pages with script payload injected.
      {% endcall %}
    {% endcall %}

    {% call paragraph() %}
      This can be configured on the {{ hkt_link('setings page', 'home.home') }}
      and might be useful to users who are careful about fingerprinting.
    {% endcall %}
  {% endcall %}

  {% call section() %}
    {{ medium_heading('Fingerprinting considerations') }}

    {% call paragraph() %}
      To make the popup available, Haketilo has to inject an additional script
      to all pages. That makes it easy for pages to determine with certainty
      that given user is running Haketilo. This has implications for privacy and
      may also be used by a hostile site to selectively cause annoyance to
      Haketilo users.
    {% endcall %}

    {% call paragraph() %}
      The above problems would be present regardless on pages with
      Haketilo-injected payloads. I.e. in many cases a site could theoretically
      find out the user is not accessing it in a normal way. However, the popup
      also increases fingerprintability when no payload is in use and especially
      on pages with JavaScript allowed. For this reason, the presence of popup
      on pages has been made configurable.
    {% endcall %}

    {% call paragraph() %}
      It is also worth noting that as of version 3.0 Haketilo does not make
      guarantees about the browser fingerprint. Despite best efforts, there are
      still other aspects that might make a Haketilo user distinguishable to a
      website even when popup is disabled.
    {% endcall %}
  {% endcall %}

  {% call section() %}
    {{ medium_heading('Other caveats') }}

    {% call paragraph() %}
      Some other potential issues related to the popup are described below.
    {% endcall %}
  {% endcall %}

  {% call section() %}
    {{ small_heading('Interference with the site') }}

    {% call paragraph() %}
      The popup gets injected by Haketilo into the actual web page. Although
      care was taken to make accidental breakage unlikely, it might still happen
      under some specific conditions.
    {% endcall %}
  {% endcall %}

  {% call section() %}
    {{ small_heading('Interference with other script-blocking tools') }}

    {% call paragraph() %}
      The popup is driven by a piece of JavaScript code injected by Haketilo to
      pages. Haketilo by itself makes sure neither the policies specified by the
      page nor its own script-blocking mechanisms interfere with this particular
      piece. In spite of that, a browser extension or web browser's own settings
      might prevent the popup script from executing, making the dialog
      unavailable.
    {% endcall %}
  {% endcall %}

  {% call section() %}
    {{ small_heading('URL mismatch') }}

    {% call paragraph() %}
      Sometimes a page might change parts of its address visible in browser's
      URL bar. E.g. after opening <code>https://entraide.chatons.org/</code> in
      the browser we might see <code>https://entraide.chatons.org/en/</code> as
      the current address even though no reload happened. In addition, some
      browsers hide URL's traling dash ("/") from the user. Regardless of that,
      Haketilo's popup always presents the original URL under which the current
      page was served. Although this the intended behavior, it might cause
      confusion and therefore has been documented here.
    {% endcall %}
  {% endcall %}
{% endblock main %}