HTTP Switchboard for Chrome/Chromium:

What are the current blacklist types on HTTPSB if you install it on a virgin machine? Mine needed to to delete plugins to have only Frames there.

What are you suggestions as blacklisted ones as of current state?

 

Only "frame" are blacklisted out of the box. Originally "plugin" was also blacklisted, but I removed this once I became more familiar with Chromium, I found out using click-to-play was much more convenient.

 

I would consider blacklisting 'other' by default. It's rarely used but it seems dangerous/ vague. An attacker could avoid a blacklisted cell just by being not-recognized, right?

Also, one thing that falls under 'other' is when you try to save an image, at least on Facebook and I assume on other sites. Might want to consider allowing that behavior by default/ separate that type of request out (shouldn't need its own cell though).

 

I also find that most 'others' are found in the behind the scenes section, so you may want to take a look at those as well.

 

Yes, there's an 'other' for prefetching omnibox results I believe, and a few other things like apps updating.

 

tnx a bunch ray!

i love that your extension is pretty easy to use in 'relaxed' mode while the more geeky can granularize 'till the cows come home.

 

Unlike `<iframe>`, whatever `other` represents does not have a history of being used for as a malware vector. This is why I blacklist `frame` out of the box, because `<iframe>` does have an actual track record of being used as a vector for malware. So at this point I leave it to the user to blacklist this type as he wished.

Also, it is not *that* rarely used. I've completely disabled Flash plug-in lately, and this results in the HTML5 `<video>` object to being used instead on Youtube, and these `<video>` objects are fetched using the `other` type.

(Strangely, I found that Youtube may not serve HTML5 videos even if explicitly requested when the Flash plug-in is enabled, whereas it consistently delivers HTML5 videos if Flash plugin is disabled.)

Unfortunately, at the level HTTPSB operates, there is no way to know the precise context of a particular HTTP request. So when user wants to download an image (or whatever else), there is no way for HTTPSB to know this is for a "Save As" operation by the user.

 

Just for the record, I need to correct myself here: Facebook is responsible for the inconvenient size, not the site itself. It's rather silly to say the least to default to a Facebook button size of 1000px x 1000px. I don't know why they did it this way.

 

@ gorhill

If the three adblockplus lists within “Ubiquitous rules” tab are enabled, is this going to replace what EXACTLY Adblock Plus extension does?

Just today I found this thread about HTTP Switchboard. I think if this thread was in "other anti-malware software" subforum OR "privacy technology" subforum, then it was going to be watched by more members and consequently more feedback and suggestions.

Thanks so much for this awesome extension!

 

No, not exactly, they intersect a lot though. I did some objective benchmarks for their blocking abilities. Results can be seen here: https://github.com/gorhill/httpswit...t-Popular-News-Websites#wiki-february-26-2014

Biggest difference is that ADB modify the DOM whereas HTTPSB doesn't. It does happen sometimes that ADB will nicely remove some nuisances from the DOM. There was the case of a page somewhere in this thread where ADB was able to "fix" the page by removing some invisible element from the DOM, which was preventing a page from working properly for a user with only HTTPSB.

Ultimately it depends of your surfing habits. Personally I don't need ADB on my main computer, as I tend to avoid web sites which are overly bloated, but we use it on our HTPC because media sites tend to be overly bloated.

v0.8.3.0 is out by the way, which version will further emphasize another big difference between ADB and HTTPSB: the latter is significantly leaner CPU-cycle- and memory-wise.

 

HTTPS updated to v0.8.3.0 . Thank you very much.

I read somewhere within this thread that you are going to include DOM modification in future. Is it possible to give an estimated date for this?

Regarding the possibility to move this thread into the "privacy technology" subforum, is it doable?

 

It's rather the opposite, I don't intend on including DOM modifications à la ADB. I still do entertain the idea of a companion extension, as lean as possible, which would be able to apply rules found in ADB-compatible files which have no match in HTTPSB. But in the end, all this is hobby, so whatever I spout here cannot be taken as a promise of anything. As long as I have fun doing this I will keep doing this.

Re the thread, I did not create it, and I have don't really have an opinion on whether it should be moved or not. I will leave that to others to decide.

 

In addition to what the others have said: some websites still display ads with HTTP SB, when they are hosted on the same domains which need to be greenlisted for the website to function properly, e.g. Facebook.

 

Thanks a lot for the new version! One question: Are you considering an option to automatically update the preset lists?

 

I updated my 'Definitive Guide For Securing Chrome' to include HTTPSwitchBoard. I'll add a bit more later about it, but I wanted to get it in there.

 

Yes, I thought about it. I am still undecided though but I do lean toward keeping it manual. These are not critical updates, just convenience ones (the code itself, the critical part, will always be updated by whatever web store HTTPSB was installed from), so I kind of like the idea of letting the user choose when to update, and at the same the user has an opportunity to look at what has changed if he wishes to.

 

I started this thread and your right it should be in the privacy section. Perhaps some kind moderator could move this thread.

 

an extension such as HTTP SB or NoScript deals with more than just privacy:
it helps with security and to reduce bandwidth sucking sludge.

personally, i put reducing bandwidth sludge at the top of my list.

 

Would there be any way to do 'allow' rules by default for the TLD? For example instead of just whitelisting images for all content ont he page, what about just the TLD?

 

You mean the ability to whitelist "com", which would be inherited by all ".com" domain name?

I would have to think about how this can fit in the framework. For sure it doesn't fit in the matrix (very early versions used to have this but there was many bad consequences UI-wise).

Currently everything stops at whatever is in the Public Suffix List, and default to blacklisted at this point.

 

Thanks, gorhill, for all the work you're putting into this project. I feel httpsb brings security capabilities to Chrome on par with Firefox now, especially with the behind-the-scenes control and other features.

Have you had a chance to work on blocking meta refreshes (usually redirects) in <noscript> tags? I think I read on Github or somewhere in this thread that you were pondering a separate extension for that?

 

Actually I was incorrect to say TLD. I meant the first party site. So instead of CSS being available to wilderssecurity.com and all other third party sites by default, instead have it only available to wilderssecurity.com (or any other content/ other website)

 

Raymond, thanks a lot for the v. 0.8.4.1 update! One important step closer to abandoning Adblock.

I've noticed two problems, though: The HTTPSB symbol is now always gray (no longer green/red), and smart auto-reload does not work anymore.

Another question: If I enable "Parse and enforce Adblock+ complex filters (beta).", it always tells me: "0 complex filters used."

EDIT: After updating the "Assets", the HTTPSB symbol is colored again.
EDIT2: And now I'm also getting the message: "16,637 complex filters used." Strange ....

 

Not good... Given the symptoms, it looks like HTTPSB is throwing exceptions, which should show up in the extension console. Can you see anything? Sometime Chrome update breaks an extension's internal state, and forcing a reload of it fixes things... Now I am scared, I hope I didn't break it for everybody.

EDIT: Ok I did check on a fresh install of HTTPSB in Chrome, and all worked well (I am a bit relieved to say the least -- each update I get a anxious a lot, being scared of breaking the extension in a major way). Now is to find what i happening in your particular case.

EDIT: Ok, I will try to get a new revision ASAP, I think there is one narrow case when some timing conditions arise when the lists are loaded. That does match your symptoms.

 

Did you see my edit above? The problems seem to be related to the previously missing "Assets" update.