HTTP Switchboard for Chrome/Chromium:

Using exploit pages:

Malware domains are the same importance as ads--simply blocked. Malware hits should block the entire page regardless.

Otherwise, wild exploits are redirecting like hell through a greylist cascade and only stop when the page domain is dirty (versus 3rdP page assets tagged as malware and warning from there). Same with native Chrome JS black/whitelisting. It only focuses on the page domain being dirty/B-listed--not the secondary page assets which statistically raises the chances of other unknown redirects existing exponentially if tagged as malware.

Would love to see ref, and to ice the cake, redirect controls (behavioral and likely outside api control). All the filthy pages are using 3 redirects before even landing at a spiffy Blackhole ploit to obfuscate the url. It's more likely to hit these types of dirty links versus direct zero-days with less redirects.

Also these exploit pages are begging to insert "likes" etc via XSS. Ref control would kill XSS to our more prized sites.

& agreed with the difficulty in blocking redirects which by course of matter do not show in the grid matrix end landing page. A user option to blacklist urls via the LOG would increase usability.

Anyhow, you are the Dev we've been praying for. Hugs n Kisses...

 

Is there a method to simply clear all rules?

 

I think I really like this addon, now that I got the hang of it. Chrome just with LastPass and HTTP Switchboard. Feels good.

 

I implemented that yesterday as part of the Rule manager, will be in next release. It's always taking longer than I wish. I am in the thorough revision of the changes now.

 

Great, thanks. Keep up the good work.

 

I love the new interface especially the locking system.

 

I'm rewriting all of my rules from scratch, I'll post them here (in this specific post) as I create them (just the popular sites that others may be using, not random stuff I encounter). I try to block ads where possible, I rarely allow 'other', and I will try to block requests where possible. I only have one site in global scope, which is imgur images and XHR so that sites that inline imgur will work.

If there are any issues for you with them let me know.

http://*.feedly.com

https://www.facebook.com

https://www.imo.im

https://www.wilderssecurity.com

https://accounts.google.com

https://github.com

https://mail.google.com

http://imgur.com (site specific, not global ruleset)

https://www.youtube.com

https://twitter.com

https://pay.reddit.com (cookies blocked from non SSL reddit)

https://movies.netflix.com (use HTTPS Everywhere to force Netflix to HTTPS, you may want to have this as https://*.netflix.com for signin, I just have two per-site rules with signin.netflix.com only allowing cookies)

 

and other fixes.
the "Commit All" button is particularly useful for me because i don't have to lock each things individually after importing my rules.

merci beaucoup Ray!
thanks Ray, the best just keep getting better!

 

@ Hungry

Great job!! Actually your recipes work very well.

 

Thanks. For some reason Facebook needs to allow plugins on akamai for chat to autoupdate... not sure why. No plugins *appear* to be running on the page. Perhaps it's for the videochat.

I'll edit my post with the new ruleset.

 

Yeah, actually also if you play some game within FB you need to change some settings, especially about cookies.

 

Yeah, I don't play Facebook games. The ruleset posted is purely for going on and messaging and basic functions. For something like video chatting or games you'll need more permissions.

 

So are these rules just an optional thing for the picky among us, or is this turning into one of those situations/programs where its power and effectiveness is determined by how much you screw with it? I hope it is the former. I would like the dev to continue to focus on simplicity as much as can be done, without too much influence from power users. Otherwise I fear ease of use will get lost in a plethora of features and configurations. I apologize if my comments sound negative, they aren't meant that way. But I have seen it happen to other programs and developers.

 

It can be either. If you want to come up with tight rule sets, you can. Or you can still block a lot while maintaining simpler rulesets.

 

I am wondering if I should whitelist cookies globally and let Chrome itself handle cookies, with a default deny cookie policy combined with permanent exceptions and session only cookies for certain website.

Maybe I don't fully understand how HTTP Switchboard handles cookies, but I have gotten used to Firefox's Cookie Monster add-on.

 

Yeah, you can whitelist all cookies. Just create a global rule for cookies.

 

Excellent. New users and those who aren't security fanatics shouldn't have to spend more time figuring out how to do things and making up complicated rules, than simply using it.

 

I know people who use it with all whitelisted -- just by clicking the top-left corner cell (and removing the blacklist status of frames and plugins):



Even then, the extension is still useful as it still blocks whatever hostnames are blacklisted from the preset blacklists (trackers/ads/analytics/etc.). NoScript bothered them and would not use it, so it is an improvement now using HTTPSB, which can be used in allow-all/block-exceptionally mode (instead of only offering block-all/allow-exceptionally mode) and still benefit from the preset blacklists.

 

I especially like the per site permissions, so I can allow *.facebook.com only on -https://www.facebook.com.

 

@ Hungry

were you able to stop adverts on FB? Actually I had to re-enable ADB, otherwise they show up..

 

I don't think they can be completely removed by HTTPSB, just the images

 

Anyone know of a way to deal with cloudfront.com ?

IT's loaded as a third party resource by a lot of websites, but always with a string of random numbers before it, making generic whitelisting of it impossible through the UI.

A rule for *.cloudfront.com would be nice.

 

Gorhill, thank you.

Hungryman, I was always worried about those URLs and rarely allowed them in NoScript unless it was forced on me. It may sound stupid, but the way they were listed, they looked like they were malware scripts on the page so I tried to avoid them.

 

Yes, but unfortunately some pages won't load properly without them.

 

So I've noticed. They're starting to infest websites like Facebook, so hopefully Gorhill finds a way to better control them. I'm finally getting to where the extension is comfortable to me.