HTTP Switchboard for Chrome/Chromium:

A recipe i'm using for Time.com...

Code:

http%3A%2F%2F*.time.com%0A%09whitelist%0
A%09%09*%20apis.google.com%0A%09%09*%20b
rightcove.com%0A%09%09*%20brightcove.com
.edgesuite.net%0A%09%09*%20cdn3.optimize
ly.com%0A%09%09*%20fyre.co%0A%09%09*%20g
etpocket.com%0A%09%09*%20gravatar.com%0A
%09%09*%20livefyre.com%0A%09%09*%20odb.o
utbrain.com%0A%09%09*%20optimizely.com%0
A%09%09*%20pinterest.com%0A%09%09*%20sim
plereach.com%0A%09%09*%20taboola.com%0A%
09%09*%20taboolasyndication.com%0A%09%09
*%20time.com%0A%09%09*%20timeinc.net%0A%
09%09*%20wordpress.com%0A%09%09*%20wp.co
m%0A%09%09*%20www.readability.com%0A%09b
lacklist%0A%09%09*%20gstatic.com%0A%09%0
9*%20*%0A%09graylist%0A%09%09*%20cdn.tab
oolasyndication.com%0A

...and huffingtonpost.com

Code:

http%3A%2F%2Fwww.huffingtonpost.com%0A%0
9whitelist%0A%09%09*%205min.com%0A%09%09
*%20aol.com%0A%09%09*%20aolcdn.com%0A%09
%09*%20atwola.com%0A%09%09*%20fwmrm.net%
0A%09%09*%20huffingtonpost.com%0A%09%09*
%20huffpo.net%0A%09%09*%20huffpost.com%0
A%09%09*%20newrelic.com%0A%09%09*%20pint
erest.com%0A%09%09*%20reddit.com%0A%09%0
9*%20sail-horizon.com%0A%09%09*%20simple
reach.com%0A%09%09*%20slate.com%0A%09%09
*%20taboola.com%0A%09%09*%20taboolasyndi
cation.com%0A%09%09*%20wikinvest.com%0A%
09%09*%20youtube.com%0A%09%09*%20ytimg.c
om%0A%09%09image%20*%0A%09blacklist%0A%0
9%09*%20*%0A

 

Thanks.

Coincidentally I just released version 0.7.9.0 which includes Huffington Post as first party. I didn't allow as much as you did however. I think we need to restrict the whitelisting to only 1st-parties (the human version of what constitute a 1st-party, not the machine version obviously), or else it defeats the purpose of using HTTPSB in block-all/whitelist-exceptionally mode -- the presets need to respect this mode as chosen by the user.

The preset recipe beta feature is moving forward, and currently an important information is that there are 1st-party recipes and 3rd-party recipes. youtube.com is first party when on Youtube web site, and 3rd-party for when a Youtube video is embedded on some unrelated web sites. Typically the rules are different, hence the distinction. It's ok for 1st-party rules to be less granular, but for 3rd-parties it is best to keep it as reasonably granular, in order for the preset to work despite the user's choice of blacklisted request types.

I still need to come up with the doc for the syntax, which is not the same as the one used in the Rule manager page (because icons, friendly names, 1st vs. 3rd info, etc.) Geeky users can still probably figure the syntax just by looking at the content of the file until I come up with some doc.

 

I have used this now about 3 weeks and I think it is a keeper. I did try it quite early, but I could not understand or got tired of reading the documentation.

Thank you for adding the Documentation -part into the interface, it seems much more clear now. Btw, what is the jigsaw puzzle type of icon doing in the "matrix toolbar" ?

My Chrome is in finnish language, so this other question is translated to english: What does it mean to allow the extension right to use files URL addresses, that checkbox?

 

Yeah no worries. I sometimes allow some content reluctantly, because that's the only way to achieve the viewing content I'm seeking for the site, so I realize my recipes may not be ideal, likely a bit too permissive for some, although a decent enough starting point where trimming out some of the "fat" isn't too big a task. Some sites are definitely far more difficult to "tune" than others. For example, thechive.com was like pulling teeth

 

http://www.fireengineering.com/video.html

Also, could you add Nimi Cleanser to your tests?

 

The jigsaw puzzle is to access whatever preset recipes may apply to the page, so that users don't have to figure the rules to set in the matrix for, say, make that embedded Youtube video playable. There is not many preset recipes so far, so often the menu is empty, but with time more and more will be available. I should release a revision tomorrow with more of these preset recipes (consider this feature beta).

Regarding the "File urls" it's because there is the "[noparse]<all_urls>[/noparse]" permission in the manfest, which is actually a remnant of very early in development. I tried to keep permissions to a minimum, but I had forgotten about this one, I will reduce to access only "http(s)", so that the option "file URL" should disappear. I never tested with file URL but I would expect HTTPSB to not work properly with these.

 

I don't think it would be a good idea. According to the developer of Nimi Cleanser, the version (side) offered in the Chrome Store is only hiding contents. The full version (main) offered in their website is the one blocking the contents. (This is what I understand from their reply to my email and from the description of the site.)

 

Thanks for pointing that out. I did not know that.

 

I don't know if it's only me - but version 0.7.9.1 is seriously broken on my machine. I've removed it from Chrome and reinstalled it but the problems remain.

Right now there are no rules in the rule manager with the exception of the default ones:

Code:

chromium-behind-the-scene
    whitelist
    blacklist
        * *
*
    whitelist
        * *
        image *
        stylesheet *
    blacklist
        sub_frame *
        * *

I've selected site-specific rules as default.

Now, if I open an arbitrary website like http://www.theguardian.com/uk , all cells are light-green (with the exception of the frame column and the hosts from the integrated blocklists). Not only guardian.com, but also google.com, twitter.com etc.

Can someone confirm my findings?

 

Before you posted I thought I was seeing something strange in the cells I can confirm what you're seeing. Something is broken.

 

Looking into this. Somehow a whitelist all rule is now added. Investigating asap.

Emergency fix pushed to the store. Change log:

• Emergency fix: Due to latest changes regarding scopes, a portion of code which was not revised caused HTTPSB to fall into allow-all/block-exceptionally mode.
• More technically, that piece of code was to whitelist all requests from behind-the-scene scope if the scope was not found. With latest changes, the behind-the-scene scope was indeed never found, and because of this the whitelist-all default rule for behind-the-scene scope was created in the global scope.
• If you were working in block-all/allow-exceptionally mode, please do click the "all" matrix cell to toggle it back to red, and lock the change.
• Sorry. The changes re. scopes was a big change, and I failed to revise this one portion of code.

​

Question to tlu and wat0014: Did the problem showed up after you reinstalled the extension? I am wondering how many users are affected, and it normally should affect only users who remove/re-installed, or new users.

 

Thanks, Raymond, for the fast fix! It seems that everything is okay now. The important thing to do is what you wrote:

I had a problem with the Chrome web store and downloaded 0.7.9.1 from your website. Surprisingly, it did not replace the old HTTPSB version - I had both versions in the list of extensions That's why I exported my rules from the old version (and removed it) and imported them into the new one, and that was the moment when those observed problems started. As mentioned, I removed also the new version and reisntalled it but the problems remained.

 

I never actually re-installed the extension. All I did was enable Developer mode under Extensions then ran Update extensions now.

 

Yes, when you install from a local folder, it's installed as a different extension with it's own id, different that the one from the store, this way the store cannot mess up with people's local installation.

 

I was wondering how many of the host blacklists you guys have selected? You can sure select a lot, easily resulting in overkill due to multiple redundancy.

 

Does HTTP Switchboard remove/block flash cookies?

AFAIK, there is no redundancy, if a site is listed in two list, it will only load in the memory the site in the other list.

 

Perhaps it's possible to choose another color for the cells of those omnipresent user-blocked hosts like, say, violet (or whatever). This would be a clear distinction from other blacklisted hosts.

Regarding "interactively set": I wonder if that's really a big problem here. Any user who wants to efficiently use HTTPSB must be familiar with the different types of scopes. Those users know that they have to choose global scope in order to create omnipresent rules. Those who don't, won't use this functionality anyhow Nevertheless it's clear that it must be detailed in the documentation.

 

No. To mitigate this I suggest these Chromium settings:

• Privacy => Content settings => Cookies => Keep local data only until I quit my browser
• Privacy => Content settings => Plug-ins => Click to play (difficult for a plug-in to phone home if it is not running on the page.

I see Chrome API supports chrome.browsingData.removePluginData, so I could certainly add a feature resembling the current cache removal: "Remove plugin data every x minutes". This one is more likely to have negative side-effects (what if the user is currently watching a Youtube video?), so need to think about it more thoroughly (maybe do it only if no net traffic of type "object" has been seen for 5 minutes or something).

It's loaded only once in memory. I tried to emphasize this with a change I made lately in the _Settings_ page, which shows how many entries are used out of the total for a list which is checked.

EDIT: For what it's worth, personally I check all the lists, except the gigantic "hosts-file.net/hosts.txt".

 

Hi gorhill,

i set up HTTP SB for Facebook but now I want to revert to the "official" recipe, because i think my set up is leaking too much of info to them.
Can i simply copy and import the Recipe and then HTTP SB is going to overwrite my settings or should I make it another way?

Thanks.

 

HTTPSB sometimes does not display the need to allow scripts in the matrix.

Example: After the problems with 0.7.9.1 I created new rules for a couple of sites. When I went to https://github.com/gorhill/httpswitchboard/issues, clicking the sort button had no effect. In the matrix I saw that scripts were needed for github.global.ssl.fastly.net which I whitelisted but to no avail. The script cell for github.com was empty. Nevertheless I whitelisted it, reloaded the site (which now showed an entry in the XHR cell), and I was able to click the sort button and select a different sort option although the script cell for github.com is still empty (and the XHR cell is still blacklisted).

 

I checked, and there is no javascript for "github.com", that's why the script cell is empty. The scripts are pulled from "github.global.ssl.fastly.net" (2), and the sort feature works through XHR (which is a request to "github.com"), so this one needs to be enabled. My own recipe for github.com is:

github.com%0A%09whitelist%0A%09%09*%20gi
thub-camo.global.ssl.fastly.net%0A%09%09
*%20github.com%0A%09%09*%20github.global
.ssl.fastly.net%0A%09%09*%20githubapp.co
m%0A%09blacklist%0A%09%09sub_frame%20*%0
A%09%09*%20*%0A​

It has always been working fine.

 

The preset recipes in presets.txt are not compatible with the Rule Manager recipes (I call them both recipes because I lack imagination). Did you create the Facebook rules in the global scope or in some narrower scopes? If from a narrower scope I would say go to the Rule manager and just delete all entries in that one scope, so you can re-create it from scratch.

When importing rules, there is no overwrite, as HTTPSB wouldn't want to destroy rules a user created himself.

There is a lot of polishing to do and I think I will focus on polishing for the next releases, but for now we are often forced to do a few annoying steps for what should be basic operation.

Also btw, what you call "official" recipe I can't vouch 100% for it, I expect users to report issue if it doesn't work. I don't have a Facebook account and it wasn't tested for logging in (this actually apply to all sites for which I will try to create a recipe without having an account).

 

Oh wow, there''s even more. I use all of them except EasyList/Fanboy (cause of ABP) and the full hpHOSTS (way too many false positives).

 

I use all of them.

 

... which is in decoded view:

Code:

github.com
    whitelist
        * github-camo.global.ssl.fastly.net
        * github.com
        * github.global.ssl.fastly.net
        * githubapp.com
    blacklist
        sub_frame *
        * *

So you've whitelisted the complete github.com domain (which includes the script column). My rules are the following:

Code:

github.com
    whitelist
        xmlhttprequest github.com
        cookie *
        image *
        object *
        script github.global.ssl.fastly.net
        stylesheet *
    blacklist
        sub_frame *
        * *

... simply because the github.com script cell shows no entry (or request). github-camo.global.ssl.fastly.net and githubapp.com do not show up in the matrix here.

So again, the script cell for github.com is empty (which corresponds with what you said) - but my recipe above is not enough to make the site work properly: I have to explicitly whitelist the (empty!) script cell for github.com (which is already included in the whitelisting of the github.com domain in your recipe, of course).