chit chat: WebAPI Manager [Extension] #258
Comments
|
This should make it more readable https://paste.kthnxbai.xyz/?66ca6958c57438f6#foGznhCBHiNPdOI5W+GdjTlKNas6LNyoe1k2+5pCzrU= |
it passes the rules with a temporary cookie: https://github.com/snyderp/web-api-manager/blob/master/background_scripts/background.js#L111 and that's probably why it did nuttin for you. The whole cookie thing is weird and I'm not sure it's always gonna work as expected. Meaning it's maybe possible to create a site that overwrites the rules. https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/cookies/get
btw a site can also easily detect if the addon is installed:
afaik Ambient Light Sensor API is disabled with the sensors pref. |
|
Installed WebAPI Manager on FF56, no configuration: Network console shows a bunch of icons files from assets-cdn.github.com |
|
@Thorin-Oakenpants |
"more than one cookie with the same name " ! ie
the latest version on github doesn't have the web accessible resources anymore. ps the login issues should be fixed in version 0.9.2 as well |
|
the addon is adding an additional cookie to the response header and therefore the cookie will most likely get the same FPI etc as if the site itself set it. Why mention same names? because I (or a site) can set a specially crafted cookie which perhaps can overwrite the addon's rules. I haven't tested it yet because I don't think I will use this extension anyway. Just throwing ideas out there in case someone else wants to do some testing. |
|
if this is what it takes to offer a semblance of privacy, it simply is not worth it IMO another ext. that offers similar functionality is http-useragent-cleaner - i used to use it and i wrote an EN manual for it - what a f'n joke - the ego-laden dev is impossible to deal with if you have to configure stuff on this kind of granular level, it's hardly worth browsing the www - you'll spend more time un-breaking shit than actually reading the sites content just dealing with uM and uBO is enough of a hassle IMO - more layers just add to the hassle |
|
@2glops Just pinging you on this b/c I had a hell of a time working out the issue with the login issue. The most recent commit (and what I'll be pushing as a .9.2 w/in 24 hrs) should have fixed it. I'm all but certain its a FF issue (specifically a bug in how their webExtension#webRequests implementation handles adding additional Set-Cookie headers, which seems to cause previous Set-Cookie headers to be coalesced incorrectly…) Anyway, if you're still interested in the extension and end up using 0.9.2, and could let me know if you're still seeing the issue, I'd appreciate it a ton :) |
|
Also, re: the discussion about configuring this thing is a pain in the butt I completely agree :) The goal is to have a possible EasyList/ABP/etc subscription style service set up for it before a 1.0 release. Fingers crossed… |
|
My guts/balls/6th sense is telling me this WE have a lot of potential. |
|
@snyderp |
agreed - as @crssi said, i think there's a lot of potential here but i (and i'm sure others) am not keen on messing with yet another ext. in addition to uM, uBO, etc. - i think if it could essentially cover the same functionality that they do and wrap it all into a single ext., then bingo - i guess it would almost have to use the existing blocklists since there's so many out there maybe WebAPI Manager already does cover the basic functionality of uBO/uM - i don't know - much of the stuff it does is over my head |
|
FWIW, from a high level, the way to think about this project vs. things like uBO, uM, NoScript etc, is that those tools control who's code can execute on your machine. WebAPI Manager controls what code can do. From my perspective, the approaches that these other extensions (along with Ghostery, PrivacyBadger, etc.) take is useful in the common case, but (for most categories) easily circumvented by an attacker / ad company / etc. My approach is to constrain the capabilities of code, regardless of the origin of the script. Hope that helps :) |
|
Sure! |
|
@snyderp are you aware that the blocking is bypassed on https://browserleaks.com/javascript? click on Example script with contentWindowvar iframe = document.createElement('iframe')
iframe.style.display = "none"
document.body.appendChild(iframe)
var w = iframe.contentWindow
EDIT added an example script (click on the above text with the arrow to expand) |
|
@publicarray Very interesting, no I did not know about this! I should be able to easily extend the blocking technique to this point as well, but its surprising to find out they don't actually share the same view of the DOM. Thank you for the point! If you could open an issue on the extension, that would be extremely helpful. Otherwise, I'll do so when I'm back at the keyboard in a while. Thanks for the find 👍 |
|
anybody try this thing with google/maps? i couldn't get earth view to work with all filters disabled - i had to disable the extension this is with the ghacks config with... ... all of which break earth view according to my tests dunno if you guys use earth view, but to activate it you apparently need to click on something on the map that will produce a thumbnail image, like a street, then click on the thumbnail, then zoom out using the scroll wheel - this should get you there, all you need to do is try zooming out: https://tinyurl.com/y8tro8c3 i'll open a ticket on the WebAPI Manager page if we think the problem is on that end |
|
@atomGit Hmm, interesting, possible another bug, though things seem to be working for me. I'm visiting www.google.com/maps with the following settings blocked:
Can you make sure you're using the 0.9.3 version (which fixed some relevant CSP issues), and if you're still seeing problems, please open an issue? I'll make sure to get things straightened out ASAP. Thanks! |
|
@publicarray Thank you again for raising this. I've added it as issue 20 and will get it sorted out right away |
What I don't understand is why we can't just select all the things we want disabled all the time, and then on a per-site basis re-enable some stuff. Why do we have to chose between your pre-defined sets of rules? I haven't tried the extension yet because I'm still on FF52, but from what I understand, we must chose between Conservative and Aggressive and then adjust each website based on how different we need to be from these 2 sets of rules. Why not let me decide the base set? Seriously, what if your base set disables something I want enabled most of the time? Am I going to edit every single website I visit to re-enable this? It would be much better if I could decide what the baseline is... Regards, |
|
@B00ze64 Oh, I think there is some misunderstanding. You for sure can set all the standards to be disabled in the "(default)" case. The "Lite" / "Standard" / "Aggressive" cases are just conveniences. There is nothing stopping you from doing what you describe (there just isn't a one button, pre-configuration setting for it currently). Does that address you concern? If I'm still misunderstanding, please let me know! |
|
@snyderp @Thorin-Oakenpants Oh! I'm sorry, my bad. I can't test the extension, so I didn't get it. That AddOn is on my "AddOns to get once I upgrade FF" because it controls some stuff that I am currently forced to enable globally (e.g. beacons (eBay breaks for me without this)). It will be nice to be able to control things on a per-site basis. Thanks! |
|
@psnyde2 - yes, i'm using 0.9.3 visiting google.com/maps alone won't reveal the issue i discovered - you have to get into "earth view" specifically which is different than satellite view if you use the URL i provided (https://tinyurl.com/y8tro8c3) that should get you into "street view" - from there, you have to use the mouse wheel and scroll backwards (zoom out in other words) and after about 2-3 clicks of the scroll wheel, your view should change noticeably to where you can move around with the arrow keys, the mouse (drag) and the Shift key just like you would see if you were running google earth locally make sure these are "false"... ... and if you cannot enable earth view, then disable WebAPI, reload the map page and try again - this time you should be able to zoom out to activate earth view just so you understand the diff, with street view you are limited to where you can go on the map according to where google sent their mapping vehicles (the roads and, in some cases, locations photographed with hand-held cameras) whereas with earth view, you can 'fly' anywhere you want without being restricted by roads or altitude - in street view the mouse wheel zooms, but your location never changes - in earth view the mouse wheel moves your position |
|
@atomGit Ah, I am able to see the issue now. Thank you for the detailed description :) As of So, if you allow all the standards on google.com now, you can get back to satellite view again (while still having the extension blocking for other domains). Thanks again and hope that helps! |
snip
The text was updated successfully, but these errors were encountered: