andryou / scriptsafe Goto Github PK
View Code? Open in Web Editor NEWa browser extension to bring security and privacy to chrome, firefox, and opera
Home Page: https://www.andryou.com/scriptsafe
a browser extension to bring security and privacy to chrome, firefox, and opera
Home Page: https://www.andryou.com/scriptsafe
When you navigate around Youtube, every link you click gives a delay before the red line at the top appears.... When I disable the extension, no delay...
Is this a known issue?
Chrome v51.0.2704.63m
SafeScript v1.0.7.3
Existing trusted domains appear to process as expected but the "Trust" button no longer accepts a click action with 1.0.7.4 on chrome/win64.
If Default Mode = Allow, a blocked domain should still be directly accessible, just with scripts and other selected types disabled/blocked.
If Default mode = Block, a blocked domain should not be directly accessible.
I'm no stranger to tweaking ScriptSafe settings (and also no expert), but this one seems to be defeating me.
Disqus comments are used by a HUGE percentage of the web, and since the latest ScriptSafe update, they will not display for me, though they used to display before the update.
Console shows this:
VM67:3 Uncaught SecurityError: Blocked a frame with origin "http://dilbert.com" from accessing a frame with origin "http://disqus.com". Protocols, domains, and ports must match.
If I click on the error, the code in question appears to be around line 3 of this:
(function (){
function processFunctions(scope) {
var triggerblock = scope.document.createElement('div');
Is this part of the new fingerprinting code? Is it working as designed?
When I click the ScriptSafe icon, the dropdown menu does not fit within the dropdown window. I have to use the slider at the bottom of the window to see the whole thing. This does not happen with other add-ins. Very occasionally (but not usually) if I change the zoom level of the browser tab before I click the ScriptSafe icon, this problem goes away. I have attached a screenshot.
I am on Chrome (V 51.0.2704.79 m) on Windows 7, ScriptSafe V 1.0.7.4.
This seems similar to issue #7 but different enough I thought I wouldn't hijack that issue.
I wanted to know if there are existing public filter lists for ScriptSafe, just as Adblock/Plus or Ghostery. Otherwise, is there any plans to build a database to share all our configs ?
I use a Chromium build which does not include the Google API key, so Sync and other Google services do not work. ScriptSafe usually asks on the first start if the Sync service should be used but without the API key it just crashes.
Using a build with the API key and disabling the Sync option, then switching back to the build without the API key also does not work.
On most tabs, the dropdown menu is incomplete even though the website was previously whitelisted only showing "Resources (hover each to see paths)" and the bottom line of links. The ScriptSafe icon could be red or green.
This behavior resolved after restart of Chrome.
Plugin: ScriptSafe v1.0.6.19
OS: Windows 10
Browser: Google Chrome Version 51.0.2704.63 m (64-bit)
After installing the plugin I can not use google search from the address bar. I normally type my search request in the address bar but that doesn't work anymore. When entering a search request and hitting 'Enter' it goes to google.com without any search results.
Example:
Type "test search" in my address bar.
Hitting 'Enter'
Result: https://encrypted.google.com/#safe=off&q=test%20search
Without any search results. Just the Google box where I can enter my search request
With the recent updates to ScriptSafe it halts Tweetdeck features by not allowing the user to open images nor links. Cannot manually find a fix for it either in the options of ScriptSafe.
As per the latest changelog: "Made "Respect Same-Domain" behaviour more secure; now requires you to allow/temporarily allow a blocked page in order for it to load same-domain elements"
This, for me, is unwanted behavior. For example: I want to browse facebook. I have to (temporarily) allow facebook to do that. The problem is now, i just want to allow it in its own tab, but this enables it in all other tabs and pages as well, doesn't it?
From the top of my mind there are 2 ways this could be tackled:
I do NOT dare/want to trust for example googlevideo.com that is serving up videos to youtube.com, or brightcove.com, cloudflare.com or akamai.net etc., which streams multimedia or serves content for a lot of unknown web sites. Part because of security concern (possibly moot/paranoid, see below), part because I want to avoid multimedia autoplay on (most) sites.
I know that this might be moot in context with choosing to trust the main domain in the first place.
If I choose to enable JS for a new, unknown site, then I am obviously already exposed and at risk, ok. Bear with me for a minute, please:
Moreover, I am not sure as of how exactly this part of Scriptsafe actually works, so let me describe the uncertainty:
a) What exactly happens "behind the scenes" when I have JS turned off by default, visit a new, unknown (untrusted) web site (domain) that streams content from cloudflare.com or amazon-aws ? If I previously have whitelisted cloudflare.com for a different web site which I do trust, will that trust allow this new, unknown web site to automatically serve content from there, even BEFORE that unknown site is allowed to run JS? (Can something go on server-to-server between that domain and cloudflare.com, which is not blocked by my Scriptsafe settings? Hopefully not, but I would like to be sure about that part.)
b) I am not sure, but if a) is moot, is it even remotely possible to have multimedia content streamed from such thirdparty web sites if they are whitelisted, even WITHOUT allowing JS on the main site? I guess not, as it is probably (mostly) the JS on the unknown site that needs to trigger that thirdparty connection, right? (curious as of if that technically speaking is a necessity, or simply the most normal way of setting things up: can some sites chose to use server-to-server trickery that would allow multimedia content to start streaming even without local JS being allowed?)
I am perhaps just paranoid in this case, and b) is possibly just wishful thinking.
The "real" and most practical concern:
c) Regardless of if a) is moot or not: I do not want media to (always) automatically start streaming. I want to be in control of that through some rules that automate some of it. So I want to block the stream through not permitting JS for the main domain I am visiting, but then allow streaming from those main providers once I have allowed JS for the new domain (if I do that at all).
Examples:
I want to be able to AVOID trusting those same sites automatically. Hence the whitelist "pairing". Whenever I (permanently) allow/trust JS for example for cloudflare.com to run at a selected domain, cloudflare.com should NOT be allowed to automatically run its JS on any other sites that are NOT in the "paired whitelist". And that whitelist needs to cover wildcards/subdomains (*.brightcove.com, *.cloudflare.com, etc.)
Does this make sense?
And btw;
Another uncertainty of mine, perhaps just an addition to the FAQ etc.:
There are some bugs and great differences between v1.0.7.6 I think.
Since v1.0.7.7 I can not realy find a setting that acts as I expect. Maybe I do not understand the new options?
Hi Andrew,
Firstly thanks for the great work on this.
I've recently updated to the latest version but ScriptSafe seems to have stopped working.
It no longer shows the scripts and I can't seem to control any of the pages. Not really sure what's up but would really appreciate it if you can take a look at it.
Submitted v1.0.7.9 for publishing and got hit by the manual review again. Will close this issue when reviewed + published by Google.
This is a pretty big release:
Code diff between v1.0.7.8 and v1.0.7.9: v1.0.7.8...v1.0.7.9
If you can't wait for the Chrome Web Store to manually review and publish this update, read: https://github.com/andryou/scriptsafe/wiki/Frequently-Asked-Questions#how-do-i-install-the-latest-version
When opening Chrome after a ScriptSafe update has taken place, a page is shown detailing the updates. This is brilliant but unlike the options page where a TITLE shows this is ScriptSafe related, the updated page does not have a TITLE and one must read down to realise what this relates to. It would be useful to have a title banner matching that of the options page.
1.0.7.10 is always crashing with Iron browser 51.0.2700 builds compiled w/o WebRTC
this is all i get now..
Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check https://xhr.spec.whatwg.org/.
extensions::uncaught_exception_handler:8 Error in event handler for (unknown): TypeError: Cannot read property 'mode' of undefined
at chrome-extension://oiigbmnaadbkfbmpbfijlflahbdbdgdf/js/popup.js:72:21handler @ extensions::uncaught_exception_handler:8(anonymous function) @ extensions::uncaught_exception_handler:100EventImpl.dispatch_ @ extensions::event_bindings:376EventImpl.dispatch @ extensions::event_bindings:393target.(anonymous function) @ extensions::SafeBuiltins:19publicClass.(anonymous function) @ extensions::utils:94dispatchOnDisconnect @ extensions::messaging:306
I've noticed you've revamped the domain matching logic, great work. However, the migration from the previous version to the new domain matching logic didn't seem to go all too smooth, as all my previously trusted domains have now been turned into just "allowed" domains.
Now, this doesn't cause too much issues, but it does cause some:
*.localhost
doesn't allow any script to run on localhost (as it's not www.localhost
)subdomain-of-subdomain.subdomain.example.com
and I had the pattern *.example.com
, previously I'd expect the script to be loaded, but since 1.0.7.0 it won't because of the new pattern matching system.Of course, the above are rather rare issues, but in the panel these previously trusted domains also show up as just allowed. For me, it's not a big issue as I've just purged my whitelist completely since the previous update because it was cluttered with old rules and now it's relatively empty, so it's reasonably easy to just update all patterns, but for other users this might be an issue.
For the majority of the users, it's already too late by now to fix this, but I advise to set up some kind of migration from old patterns to new ones if you update the pattern matching system again in the future.
Thanks for the efforts, been using this extension for ages now and I really like the new matching system 😄
Creating a separate issue for this finding found here: #25 (comment)
ScriptSafe should offer users control over as many pages as possible, which includes the new tab page. Progress is being done to achieve this as shown in this screenshot of a dev build:
The new WebRTC feature breaks using the AWS console. Having it enabled causes lots of refreshing. All the relevant domains for JavaScript are enabled.
Ensure test WebRTC connection (to see if browser supports it) is terminated so it doesn't interfere with power management settings.
I suspect the problem I described in #4 is/was caused by some improper handling of IPv6 addresses. IPv6 addresses seem completely broken in scriptsafe right now.
When visiting a site that requests JS from a IPv6 address the UI applet breaks with this error:
Error in event handler for (unknown): Error: Syntax error, unrecognized expression: [rel='x_[false'] [rel='['] .x_[
at Function.fa.error (chrome-extension://oiigbmnaadbkfbmpbfijlflahbdbdgdf/js/jquery.js:2:12556)
at fa.tokenize (chrome-extension://oiigbmnaadbkfbmpbfijlflahbdbdgdf/js/jquery.js:2:18609)
at fa.select (chrome-extension://oiigbmnaadbkfbmpbfijlflahbdbdgdf/js/jquery.js:2:21417)
at Function.fa [as find] (chrome-extension://oiigbmnaadbkfbmpbfijlflahbdbdgdf/js/jquery.js:2:7143)
at n.find (chrome-extension://oiigbmnaadbkfbmpbfijlflahbdbdgdf/js/jquery.js:2:23932)
at n.fn.init (chrome-extension://oiigbmnaadbkfbmpbfijlflahbdbdgdf/js/jquery.js:2:24485)
at n (chrome-extension://oiigbmnaadbkfbmpbfijlflahbdbdgdf/js/jquery.js:2:405)
at chrome-extension://oiigbmnaadbkfbmpbfijlflahbdbdgdf/js/popup.js:130:13
Manually adding IPv6 addresses to the whitelist/blacklist is not possible either. Trying to add the entry [::1]
to my whitelist shows an Invalid domain
popup message.
When enabled in Chrome attempting to search from the address bar will work briefly. Eventually when searching from the address bar nothing will happen at all. For example - when searching for the term "search" this web address https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8 will pop up but only a blank white web page with absolutely nothing it appears. Sometimes reloading the page can make the Google search page pop up but the text that should have been searched will no longer be present and no results displayed. Only disabling the extension entirely when searching resolves the issue completely. The issue is intermittent but definitely connected to ScriptSafe.
Please put together a coherent release and then push it all at once--my computer is not your personal sandbox. Your extension is about to get uninstalled.
OS: Windows 10; Threshold 2 (Build 10586)
Browser: Chrome ver. 51.0.2704.84 m
Scriptsafe ver. 1.0.7.11
Affected site: https://tweetdeck.twitter.com/
With the Block Click-Through Referrer option enabled, I cannot open up images in my feeds to view them at larger size. They will load at small size within the feeds, my mouse cursor will change to the magnifying glass when hovering over them, but clicking does nothing.
With BCTR disabled, behavior returns to normal upon a page refresh. Turning the setting back on and refreshing causes the issue again.
Changelog for this version:
As well, the update page now includes the ScriptSafe title (#39)
If you're interested in helping out and testing this version, skip to step 2 in the second set of steps on: https://github.com/andryou/scriptsafe/wiki/Frequently-Asked-Questions#how-do-i-install-the-latest-version (it shouldn't take more than 2 minutes to get set up)
In addition to the above, if you'd like you can export your current ScriptSafe settings and lists into the beta version (I recommend doing this):
Download: https://dl.dropboxusercontent.com/u/784305/scriptsafe1.0.7.11_beta.zip
If you find any issues, please check if there is an existing issue for it (https://github.com/andryou/scriptsafe/issues) or comment here.
If you don't run into any issues, I'd appreciate it if you could also comment here to let me know!
Thank you!
I've been having this issue for the last two days I think, and I have it only when ScriptSafe is enabled.
When I load a page, Chrome freezes for a few seconds. On some websites it isn't really noticeable, but on others it really is.
Some examples :
See: http://www.ted.com/talks/daniele_quercia_happy_maps
if enabled but not whitelisted, no player
If enabled but whitelisted, nothing on play
If disabled, player and works
I just wanted to make an announcement regarding updates:
Moving forward, you can expect the following:
Thanks.
One very useful feature I missing with scriptsafe is hotkey to trigger "allow all blocked for session".
When I use firefox with noscript, I config "ctrl p" to temporary allow javascript to one webpage.
Thank you and your scriptsafe.
The only item listed as blocked is <NOSCRIPT>
, but the log in
button is greyed out unless I disable ScriptSafe.
FYI, I manually told chrome (51.0.2704.79) to check for updated extensions.
Thanks for the great extension.
With certain files (I suspect with tracking pixels), µBlock Origin tries to redirect it to some other file, but ScriptSafe hijacks the redirect, causing an extension error on Google Chrome.
Warning:
This extension failed to redirect a network request to data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw== because another extension (ScriptSafe) redirected it to data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAACklEQVR4nGMAAQAABQABDQottAAAAABJRU5ErkJggg==.
Both extension continue function as expected, thus making this more of an annoyance.
OS: Windows 10 Pro
Google Chrome: 51.0.2704.63
ScriptSafe: 1.0.7.1
µBlock Origin: 1.7.2
On a new install (v1.0.7.4), the Trusted button isn't working, and attempting to manually add **.foo.com
to the whitelist on the settings page generates the following error:
options.js:280 Uncaught ReferenceError: key is not defined
haystackSearch @ chrome-extension://oiigbmnaadbkfbmpbfijlflahbdbdgdf/js/scriptsafe.js:291
domainHandler @ chrome-extension://oiigbmnaadbkfbmpbfijlflahbdbdgdf/js/scriptsafe.js:331
addList @ options.js:280
whitelistlisten @ options.js:64
dispatch @ jquery.js:3
r.handle @ jquery.js:3
https://bugs.chromium.org/p/chromium/issues/detail?id=333318
This disrupts some ScriptSafe features (e.g. dynamic webbug detection, inline element blocking). In lieu of this, the chrome.webRequest.onBeforeRequest listener works quite well in controlling resource loading. In other words, ScriptSafe is still functioning as it should (what you see being blocked is actually being blocked).
Not a showstopper for us, but I was quite disappointed when I noticed a test webbug (1x1 image) wasn't being removed during my tests and found out this has been deprecated and removed in Chrome. Will need to see if there are any solutions.
Hi,
I have noticed that this extension causes an issue with Google search: when I search something and click a link -> open the website -> click browser's back button -> Google search goes to the previous search that I possibly did before this search I am talking. It basically skips one search.
Everything is working normally when I have ScriptSafe turned off, so this problem has to be related to ScripSafe. Whilisting does not work.
Hope you are still developing ScriptSafe and could look for this issue. Thanks!
I've been using ScriptSafe for years (when it was ScriptNo!) and I love it. I've found one particular thing a bit lackluster though: the ability to not only whitelist individual domains or sites, but do it on a per-site basis.
For example, I make use of free online services such as social media, and I want them to be able to continue to operate by letting them display ads to me. This requires allowing normally untrusted domains, however I ONLY want to allow those domains while I'm on their site. So, basically, I'd like a secondary whitelist where, if I visit the site, ScriptSafe is disabled or at least performs the same function as "allow all blocked for session".
I know we're getting keyboard shortcuts so that's a partial solution, but I've also found that the "allow all blocked for session" function often doesn't work, and still ends up blocking untrusted resources when the page reloads. I want something more definitive so I can know that, on site XYZ, there is no blocking occurring. 😄
Hello,
I'm having a strange issue on ScriptSafe v1.0.7.10: After updating to the latest version and synchronizing my settings/whitelist from my Google account to one of my other machines, there are sites that are in the whitelist (for example, *.twitter.com), that are still being blocked by ScriptSafe. When I attempt to trust the site, the following message displays:
ScriptSafe detected 1 existing rule(s) for twitter.com (1 whitelist and 0 blacklist).
Do you want to delete them in order to avoid conflicts?
Note: this might not necessarily remove all conflicting entries, particularly if they use regex (e.g. d?main.com).
If I select OK, I then need to refresh the page before ScriptSafe will allow the site.
This is happening on two different machines that I use to sync my settings using my Google account.
Wondering why scriptsafe now requires additional permissions:
Are there release notes as to why these new permissions are required? I didn't see any specifics, may have just missed them.
Thanks for your work!
Says
"ScriptSafe was recently updated/reloaded.
You will need to either refresh this tab, create a new tab, or restart your browser in order for ScriptSafe to work."
I've restarted the browser, the computer, disabled and re-enabled.
If I go to "options" i can check boxes but clicking "save" doesn't do anything. Using Chromium Version 38.0.2125.111 Ubuntu 14.04 (290379) (64-bit)
Sorry I'm total newb so I know I'm not going to ask the right way but I have been a long time user and have been able to follow your directions for a long time to make things work well enough to stay out of trouble but now my last pass is no longer working unless I disable. This just happened this morning. 1.0.7.11 update. Is there a setting or something I am missing now?
Does anyone know why Scriptsafe is now un-enabled every time Chrome is started? It used to always be enabled when Chrome was started. Is it some new safety feature? Thanks!
well here's a low-priority annoyance...
(on facebook.com, in this instance...) I go to Menu > More Tools > Add To Desktop ('open as window' checked), and pin this to the taskbar. Then via chrome://extensions, set a keyboard shortcut [Alt-Z] to activate ScriptSafe. A few versions back, I used to be able to use this, and the menu would appear at the top left of the window. Now it seems to either be obscured or not firing at all. Chrome also had a few updates recently, so maybe it's something on their end.
// as an aside... Chrome on XP never could activate by shortcut properly (in a "pinned app" window) anyway, 1/4 of the menu would show on the inside top-left edge of the window, but the rest was cut off by the window frame. and yes, I do still use XP at work. It's very painful, in general.
Happens at least 50% of the time and makes it very difficult to use ScriptSafe.
Pressing the script safe icon is supposed to lower the UI to allow selection of permissions. Instead of lowering all the way, it lowers only about 25% or less (about the height of two of the UI buttons). This makes it impossible to select, say "Trust" or "Temp" on any of the listed resources because they are not visible.
Repeatedly pressing the toolbar icon eventually drops the entire UI low enough to use it.
Latest version v1.0.6.19
Adding a wildcard on a subdomain to the whitelist does not allow scripts on the subdomain.
Steps:
*.client-channel.google.com
mail.google.com
with a logged in account, wait for the hangouts app to load<num>.client-channel.google.com
in the blocked resources listThese servers are used by the hangouts application and are not accessed for up to 20 seconds after page load (on this machine).
please block this
Canvas Fingerprint
www.browserleaks.com/canvas
AudioContext Fingerprint
https://audiofingerprint.openwpm.com/
Battery API
http://techcrunch.com/2015/08/04/battery-attributes-can-be-used-to-track-web-users/
webrtc unique devices id's
www.browserleaks.com/webrtc
/////////
webgl fingerprint:
WebGLRenderingContext
WebGLShader
WebGLTexture
WebGL2RenderingContext
audiocontext fingerprint:
webkitAudioContext
OfflineAudioContext
AudioContext
webkitAudioContext
createDynamicsCompressor
createOscillator
OscillatorNode
webkitOfflineAudioContext
webrtc and webrtc unique devices id's:
MediaStreamTrack
RTCSessionDescription
RTCDataChannel
webkitRTCPeerConnection
RTCPeerConnection
battery status api:
getBattery
Repeat above with ScriptSafe disabled and note that the dropdown behavior executes and renders as expected.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.