HTTP Switchboard for Chrome/Chromium:

Discussion in 'other software & services' started by apathy, Nov 25, 2013.

  1. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    862
    Location:
    Canada
    You can just whitelist a domain to allow everything for that domain, except whatever is blacklisted. My advice is to not go too granular. Personally, I blacklist cookies, XHR and frames, so that if I whitelist a site to unbreak it, I don't expose myself too much privacy-wise to the site (XHR can be used by javascript to send back information, including cookie contents). I rarely used the cells in the middle, except maybe when I want to unbreak a site permanently in a more restrictive way.

    It all depends what are your worries.
     
  2. drm2000

    drm2000 Registered Member

    Joined:
    Apr 20, 2014
    Posts:
    18
    Question on HTTP SB and Ublock and HOSTS FIles...

    I use the Chrome Browser with both Linux and Windows. In both Windows and Linux, I am using UBlock and HTTPSB side by side. I also have the MVPS HOSTS file setup in Windows and Linux systems.

    If I have a HOSTS file setup on the system, is there any advantage/disadvantage to enabling the MVPS HOSTS file in UBlock and HTTPSW? I'm thinking that this would just be redundant and slow the system down ...

    Additionally, If the MVPS HOSTS file is enabled in UBlock, is there any reason to also enable it in HTTPSB?
     
  3. tlu

    tlu Guest

    It doesn't slow the system down as HTTPSB and µBlock are written very efficiently. And yes, it's redundant. However:

    1. Unless you don't use the MVPS HOSTS file to protect your computer system-wide, I would suggest to prefer using it in HTTPSB instead as this makes it easy to whitelist specific entries in the that hosts file as an exception in a domain- or site-specific scope if some websites don't work properly without them. You can't do that in a system-wide hosts file.
    2. Even if those adservers etc. are blocked in the MVPS HOSTS file, HTTPSB still "sees" those domains. If you haven't enabled that hosts file in the HTTPSB settings, those adservers will not be regarded as blacklisted and, hence, not hidden from view. Thus, enabling those hosts files is a nice way to "un-clutter" the HTTPSB matrix.

    I prefer the other way round for above reasons.
     
  4. Pilou42

    Pilou42 Registered Member

    Joined:
    Oct 4, 2014
    Posts:
    66
    This extension seems to be what I've been waiting for, but I don't manage to do what I want.
    I'd like to block third party scripts and frames by default, but I don't manage to do this. With Adblock Plus, I use this rule: ||$script,third-party,subdocument
    But this rules does not work, and I don't manage to use HTTP Switchboard UI to have the equivalent. Any hint ?
     
  5. tlu

    tlu Guest

    Well, first of all, even if you whitelist the script column, all scripts (and anything else) from those hosts which are contained in one of the ubiqituous lists of blocked hosts are still blocked. However, this means that scripts from 3rd party hosts might also be allowed which are not explicitly blacklisted. Example: If you go to

    http://www.nytimes.com/

    and whitelist the script column, scripts from nyt.com and brightcove.com will also be allowed. If you don't want that, just click the script cell for nytimes.com - any other scripts will still be blocked. HTTPSB is very flexible. I suggest to go to its wiki and read the "MUST READ" chapter and the ones below in order to get familiar wit its logic.

    Regarding adblocking: gorhill's other extension, µBlock, has become much more advanced in this regard compared to HTTPSB. That's why he suggests to install it alongside HTTPSB and configure it as described in the lower part of this site.
     
  6. Pilou42

    Pilou42 Registered Member

    Joined:
    Oct 4, 2014
    Posts:
    66
    Thank you for your answer.
    In your example (www.nytimes.com), by default (when I click on the link), I'd like all scripts and frames to be blocked except those from *.nytimes.com. So *.nyt.com would be blocked by default.
    In options, you have "Auto whitelist page domain", but it's just like if it is not working. :/

    For µBlock, I'm not interested. You can't create your filters. This extension just shows it is better than Adblock Plus to deal with filterset, but it is useless for guys like me who want to have a control on contents. I hope I'll manage to use this "third party" whitelist in HTTP Switchboard; for now I can't use it.
     
  7. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    862
    Location:
    Canada
    Why would you say this?

    a.png
     
  8. Pilou42

    Pilou42 Registered Member

    Joined:
    Oct 4, 2014
    Posts:
    66
    Oh I guess I was not clear enough. I meant I don't have the UI (popup) which allows me to whitelist easily (and to see what have been blocked/whiltelisted).
    But thanks to your screenshot, I saw the right filterset is |http$script,third-party,subdocument.
    Too bad this filter only works in µBlock, it does not work with HTTP Switchoard. Maybe you could fix it, but I guess you're working on µMatrix only now. But if it's an easy fix for HTTPSw, then I could use it instead of Adblock Plus.

    I think I understood you don't like this "third party" stuff ("it has been included due to popular demand"), but if you look closely, Noscript, Adblock Plus and RequestPolicy (and others, but I took popular Firefox addons) all have an option for this. It would be great if you have something visual in the popup UI to deal with third party stuff, instead of dealing with an AB+ filter.
     
  9. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    862
    Location:
    Canada
    "||" is to anchor to a hostname label. There is no hostname in your filter, hence need to anchor to a hostname label. The single "|" is to anchor to the start of a URL. Unsupported in HTTPSB. uBlock doesn't support no-token filters. I do not want to encourage users to rely on impossible to optimize filters -- which is the case when there are no token. Also, I need to add that you would actually need two filters, one for "http" and one for "https".

    Now regarding your comment your "just shows it is better than Adblock Plus to deal with filterset": It's not just efficiency, µBlock is better than Adblock Plus to care about your privacy. It might have something to do with having no links whatsoever, direct or indirect, to the ads industry.

    For example: https://github.com/gorhill/uBlock/issues/264#issuecomment-57812998. Many claims from ABP about protecting the users are downright misrepresentations (i.e. taboola, addthis). uBlock will offer you more control than Adblock Plus, with the filter option "important" (bypass any existing exceptions), and "inline-script" (prevent inline script tags from executing). I have plan to bump up the UI for better control without having to create a filter -- but whatever I come up with will be optional, and off by default, but if enabled will add that one extra control which will appeal to users who like a bit more control.

    And I really wish to go back to HTTPSB, as I've had great ideas to improve the implementation to push the efficiency much higher, which would allow a more natural UI (the layering of scopes).
     
    Last edited: Oct 4, 2014
  10. Pilou42

    Pilou42 Registered Member

    Joined:
    Oct 4, 2014
    Posts:
    66
    Thanks for the detailed answer and sorry if I sounded harsh with µBlock. It is nice, like HTTPSB. I have high hopes in you, in having the extension I waited for years for chrome: unblock third party stuff on demand.
    Unfortunately, even if NoScript or Request Policy had projects for chrome, there's still nothing for Chrome today except buggy extensions and I lost hopes, until I discovered HTTPSB. So if you lack motivation, remember I've been dreaming of this for several years. :)
     
  11. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    862
    Location:
    Canada
    This is what I've been prototyping for uBlock at the same time I worked on local mirroring. I had to put the code on hold though as the local mirroring feature proved to be more work than expected. But it is coming, as an optional feature, I want uBlock to keep its install-and-forget appeal.
     
  12. fs2com

    fs2com Registered Member

    Joined:
    Sep 20, 2014
    Posts:
    118
  13. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    862
    Location:
    Canada
    Whitelist `admin.brightcove.com`, and `plugin` for `c.brightcove.com` (this one is blacklisted by some lists).
     
  14. fs2com

    fs2com Registered Member

    Joined:
    Sep 20, 2014
    Posts:
    118
    Thanks gorhill that do it perfectly... any tips what to look for video blocked like that... like how do I know which one should I white listed for next time?
     
  15. Pilou42

    Pilou42 Registered Member

    Joined:
    Oct 4, 2014
    Posts:
    66
    In Google Chrome, you can use Developer tools (right click > Inspect element or you can use menu), then you go on Network Tab, you can sort by "status", and see in red what has been blocked.
    It's less usable than "blockable elements" window from Adblock Plus for Firefox, or the popup UI from "HTTPSB" but it's still something.

    By default, in HTTPSB or µBlock, there's a lot of filtersets used, so it can be very tricky to see which filterset is responsible. That's why it is not recommended to use several filtersets in Adblock Plus.

    @gorhill: What do you advise for element hiding ? Do you think it is better to use µBlock, or we should use css stuff like Stylish ?
     
  16. fs2com

    fs2com Registered Member

    Joined:
    Sep 20, 2014
    Posts:
    118
    Thanks Pilou42 for the explanation... I'll try that next time I found something that block
     
  17. apathy

    apathy Registered Member

    Joined:
    Dec 10, 2004
    Posts:
    461
    Location:
    9th Circle of Hell(Florida)
    Any timeline for uMatrix to be released? I'm sure uBlock has you busy enough as is.
     
  18. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    862
    Location:
    Canada
    Alpha version released: https://github.com/gorhill/uMatrix/releases

    I will take the time it takes for an official release, but it works well as far as I can tell. For differences with HTTPSB, read here.

    Biggest differences:
    - No more sandboxed rules, all rules propagate to related narrower scopes
    - A "1st-party" row
    - Manual rule management a lot simpler
     
  19. Pilou42

    Pilou42 Registered Member

    Joined:
    Oct 4, 2014
    Posts:
    66
    It looks perfect.
    My first comments:
    1) on µBlock there's a shortcut (eye icon) which allows to inspect page; it would be nice to have this.
    2) With these rules:
    * * * block
    * 1st-party * allow
    * youtube.com frame allow
    youtube.com ytimg.com * allow

    I expect pages to let youtube frames, but it does not, they keep blocking ytimg.com, whereas ytimg.com is asked by youtube.com frame, and then it should work. But maybe there's something I did not understand right now.
     
  20. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    862
    Location:
    Canada
    The source hostname is whatever appears in the URL of the address bar (aka the "scope"). As opposed to ABP filters, everything in frames which is on a different hostname than what the one in the address bar is deemed third-party.

    I have to admit I struggled to decide whether a 1st-party should be very strict or lose. In the end I decided strict because that is the safest choice. If I allow 1st-party cookies, I expect no Youtube cookies will make it to Youtube servers when it's an embedded video on a non-Youtube page.

    This way of behaving is actually consistent with Chromium's way of treating 3rd-party cookies/site data: anything in a frame not on the same domain as the page address is deemed third-party.
     
  21. luxi

    luxi Registered Member

    Joined:
    Aug 31, 2013
    Posts:
    74
    Just installed µMatrix 0.8.0.0 alpha 3 for a quick test run and it seems images are being blocked when a site is not whitelisted (1st-party or otherwise), and they are not being reported in the Blocked stats (and the console?). Also, some Allowed stats are always shown, even with no filter selected, or with only Blocked selected. Other than that it's looking good so far.
     
  22. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    862
    Location:
    Canada
    Do you have steps to repro so I can see what happens? A URL etc.
     
  23. luxi

    luxi Registered Member

    Joined:
    Aug 31, 2013
    Posts:
    74
    I tested on the µMatrix GitHub page after installing. I removed 1st-party from the whitelist globally (so only css and img are whitelisted globally). Images won't load until I whitelist 1st-party or the domain name.
     
  24. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,532
    Location:
    North Carolina, USA
    Hello,

    Just a thought and/or a suggestion:
    Since uMatrix is a new extension and to avoid confusion by making posts about uMatrix here in the HTTPSB thread, we may want to use a new thread for this. There has been a new thread started here: µMatrix - the HTTP Switchboard successor. We may want to make posts there about uMatrix to seperate the two extensions and avoid confusion.....
     
  25. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    862
    Location:
    Canada
    Good catch. Images are not blocked, it's the web font resources which are blocked, and which are used by Github as icons. In uMatrix I normalized request types for portability purpose, and I forgot to change a `stylesheet` keyword as `css` in there.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.