andryou / scriptsafe Goto Github PK

When you navigate around Youtube, every link you click gives a delay before the red line at the top appears.... When I disable the extension, no delay...

Is this a known issue?

Chrome v51.0.2704.63m
SafeScript v1.0.7.3

Existing trusted domains appear to process as expected but the "Trust" button no longer accepts a click action with 1.0.7.4 on chrome/win64.

If Default Mode = Allow, a blocked domain should still be directly accessible, just with scripts and other selected types disabled/blocked.

If Default mode = Block, a blocked domain should not be directly accessible.

I'm no stranger to tweaking ScriptSafe settings (and also no expert), but this one seems to be defeating me.

Disqus comments are used by a HUGE percentage of the web, and since the latest ScriptSafe update, they will not display for me, though they used to display before the update.

Console shows this:
VM67:3 Uncaught SecurityError: Blocked a frame with origin "http://dilbert.com" from accessing a frame with origin "http://disqus.com". Protocols, domains, and ports must match.

If I click on the error, the code in question appears to be around line 3 of this:
(function (){
function processFunctions(scope) {
var triggerblock = scope.document.createElement('div');

Is this part of the new fingerprinting code? Is it working as designed?

When I click the ScriptSafe icon, the dropdown menu does not fit within the dropdown window. I have to use the slider at the bottom of the window to see the whole thing. This does not happen with other add-ins. Very occasionally (but not usually) if I change the zoom level of the browser tab before I click the ScriptSafe icon, this problem goes away. I have attached a screenshot.

I am on Chrome (V 51.0.2704.79 m) on Windows 7, ScriptSafe V 1.0.7.4.

This seems similar to issue #7 but different enough I thought I wouldn't hijack that issue.

I wanted to know if there are existing public filter lists for ScriptSafe, just as Adblock/Plus or Ghostery. Otherwise, is there any plans to build a database to share all our configs ?

I use a Chromium build which does not include the Google API key, so Sync and other Google services do not work. ScriptSafe usually asks on the first start if the Sync service should be used but without the API key it just crashes.
Using a build with the API key and disabling the Sync option, then switching back to the build without the API key also does not work.

On most tabs, the dropdown menu is incomplete even though the website was previously whitelisted only showing "Resources (hover each to see paths)" and the bottom line of links. The ScriptSafe icon could be red or green.

This behavior resolved after restart of Chrome.

Plugin: ScriptSafe v1.0.6.19
OS: Windows 10
Browser: Google Chrome Version 51.0.2704.63 m (64-bit)

After installing the plugin I can not use google search from the address bar. I normally type my search request in the address bar but that doesn't work anymore. When entering a search request and hitting 'Enter' it goes to google.com without any search results.

Example:
Type "test search" in my address bar.
Hitting 'Enter'
Result: https://encrypted.google.com/#safe=off&q=test%20search
Without any search results. Just the Google box where I can enter my search request

With the recent updates to ScriptSafe it halts Tweetdeck features by not allowing the user to open images nor links. Cannot manually find a fix for it either in the options of ScriptSafe.

As per the latest changelog: "Made "Respect Same-Domain" behaviour more secure; now requires you to allow/temporarily allow a blocked page in order for it to load same-domain elements"
This, for me, is unwanted behavior. For example: I want to browse facebook. I have to (temporarily) allow facebook to do that. The problem is now, i just want to allow it in its own tab, but this enables it in all other tabs and pages as well, doesn't it?
From the top of my mind there are 2 ways this could be tackled:

1. Add a "Respect Same-Domain" button to the popup, which would whitelist pages just for this feature.
2. Add a relaxed mode for this, which behaves like previous versions.

I do NOT dare/want to trust for example googlevideo.com that is serving up videos to youtube.com, or brightcove.com, cloudflare.com or akamai.net etc., which streams multimedia or serves content for a lot of unknown web sites. Part because of security concern (possibly moot/paranoid, see below), part because I want to avoid multimedia autoplay on (most) sites.

I know that this might be moot in context with choosing to trust the main domain in the first place.
If I choose to enable JS for a new, unknown site, then I am obviously already exposed and at risk, ok. Bear with me for a minute, please:

• What if it is not the main site that has been compromised, but actually brightcove or akamai or googlevideo? And what if it is only that site's user account with those big providers that has been compromised, but not all other user accounts there? I would like to have partial control on where block most, but not all, depending on the main domain.

Moreover, I am not sure as of how exactly this part of Scriptsafe actually works, so let me describe the uncertainty:

a) What exactly happens "behind the scenes" when I have JS turned off by default, visit a new, unknown (untrusted) web site (domain) that streams content from cloudflare.com or amazon-aws ? If I previously have whitelisted cloudflare.com for a different web site which I do trust, will that trust allow this new, unknown web site to automatically serve content from there, even BEFORE that unknown site is allowed to run JS? (Can something go on server-to-server between that domain and cloudflare.com, which is not blocked by my Scriptsafe settings? Hopefully not, but I would like to be sure about that part.)

b) I am not sure, but if a) is moot, is it even remotely possible to have multimedia content streamed from such thirdparty web sites if they are whitelisted, even WITHOUT allowing JS on the main site? I guess not, as it is probably (mostly) the JS on the unknown site that needs to trigger that thirdparty connection, right? (curious as of if that technically speaking is a necessity, or simply the most normal way of setting things up: can some sites chose to use server-to-server trickery that would allow multimedia content to start streaming even without local JS being allowed?)

I am perhaps just paranoid in this case, and b) is possibly just wishful thinking.

The "real" and most practical concern:

c) Regardless of if a) is moot or not: I do not want media to (always) automatically start streaming. I want to be in control of that through some rules that automate some of it. So I want to block the stream through not permitting JS for the main domain I am visiting, but then allow streaming from those main providers once I have allowed JS for the new domain (if I do that at all).

• but I also want to have the flexibility to PREVENT that autoplay also when I temporarily allow JS. So I want a flexible setting for how this pair should be trusted in tandem, so to speak.

Examples:

• I do want to keep JS off and turn them manually on for Youtube. But I do NOT want to go through the *.googlevideo.com variants that keeps changing for each video (and multiple entries per page/video as well...), once I have (temporarily) allowed JS for YT. So what I would prefer in the case of YT is to whitelist *.googlevideo.com automatically, but only in effect after I (temporarily) allow JS for YT and reloads that page. And only for the pair/combination of YT and googlevideos.com. Not automatically permitting any other site that may use googlevideo.com (if any).
• same goes for videos served through brightcove.com: I want to disallow brightcove for all domains in general, but automatically trust it whenever I turn on JS for specific sites that are already in the (new) "paired whitelist" that I am suggesting here.

I want to be able to AVOID trusting those same sites automatically. Hence the whitelist "pairing". Whenever I (permanently) allow/trust JS for example for cloudflare.com to run at a selected domain, cloudflare.com should NOT be allowed to automatically run its JS on any other sites that are NOT in the "paired whitelist". And that whitelist needs to cover wildcards/subdomains (*.brightcove.com, *.cloudflare.com, etc.)

Does this make sense?

And btw;
Another uncertainty of mine, perhaps just an addition to the FAQ etc.:

• Does "Trust" ("trust entire domain") mean that ONLY the JS on that particular domain and its subdomains will be allowed, OR does it mean that ALSO any other thirdparty sites called by that domain will automatically have its JS allowed on that particular domain? (Hope/assume not, but that is unclear to me, perhaps this should be clarified both on the options page, in the FAQ and in the QuickStart guide? - the latter states: "Trust: adds the entire domain to the whitelist (*.abc.com). Content on video.abc.com and js.abc.com will be allowed to load." I would prefer it to be specifically stated that the trust does not extend to thirdparty sites "trusted/used" by that main domain as well. This question also should be addressed in the FAQ, IMO.)

There are some bugs and great differences between v1.0.7.6 I think.

• Same domain seems to also allow subdomains.
• Why are there so many WEBBUGS?
• On youtube you can not see the preview thumbs (you have to allow i.ytimg.com but it's not visible in dropdown)
• What is this blob() - blob:https://www.youtube.com...

Since v1.0.7.7 I can not realy find a setting that acts as I expect. Maybe I do not understand the new options?

Hi Andrew,

Firstly thanks for the great work on this.

I've recently updated to the latest version but ScriptSafe seems to have stopped working.

It no longer shows the scripts and I can't seem to control any of the pages. Not really sure what's up but would really appreciate it if you can take a look at it.

Submitted v1.0.7.9 for publishing and got hit by the manual review again. Will close this issue when reviewed + published by Google.

This is a pretty big release:

• Significant performance increase, due to improved list checking (how significant? Check it out!) (#15)
• Added new option: Paranoia Mode - block allowed domains on unknown tabs (default: disabled) (inspired by #31)
  • Feel free to enable this option for added security, and uncheck if you prefer to browse without it
  • This is disabled by default as it changes how ScriptSafe behaves up until now
  • I personally recommend enabling it
• Smart grouping of domains in the panel based on parent domain
• Added support for recognizing and filtering new tab pages (#30)
• Minor fixes to hotkey function, options page, and panel
• Better distinction between webbugs and images (#32)
• Updated unwanted content providers list

Code diff between v1.0.7.8 and v1.0.7.9: v1.0.7.8...v1.0.7.9

If you can't wait for the Chrome Web Store to manually review and publish this update, read: https://github.com/andryou/scriptsafe/wiki/Frequently-Asked-Questions#how-do-i-install-the-latest-version

When opening Chrome after a ScriptSafe update has taken place, a page is shown detailing the updates. This is brilliant but unlike the options page where a TITLE shows this is ScriptSafe related, the updated page does not have a TITLE and one must read down to realise what this relates to. It would be useful to have a title banner matching that of the options page.

1.0.7.10 is always crashing with Iron browser 51.0.2700 builds compiled w/o WebRTC

this is all i get now..

Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check https://xhr.spec.whatwg.org/.
extensions::uncaught_exception_handler:8 Error in event handler for (unknown): TypeError: Cannot read property 'mode' of undefined
at chrome-extension://oiigbmnaadbkfbmpbfijlflahbdbdgdf/js/popup.js:72:21handler @ extensions::uncaught_exception_handler:8(anonymous function) @ extensions::uncaught_exception_handler:100EventImpl.dispatch_ @ extensions::event_bindings:376EventImpl.dispatch @ extensions::event_bindings:393target.(anonymous function) @ extensions::SafeBuiltins:19publicClass.(anonymous function) @ extensions::utils:94dispatchOnDisconnect @ extensions::messaging:306

I've noticed you've revamped the domain matching logic, great work. However, the migration from the previous version to the new domain matching logic didn't seem to go all too smooth, as all my previously trusted domains have now been turned into just "allowed" domains.

Now, this doesn't cause too much issues, but it does cause some:

• localhost was a previously trusted domain because I have a few apps with web interfaces running on them, now its pattern *.localhost doesn't allow any script to run on localhost (as it's not www.localhost)
• Whenever I visit a site that load scripts with URLs such as subdomain-of-subdomain.subdomain.example.com and I had the pattern *.example.com, previously I'd expect the script to be loaded, but since 1.0.7.0 it won't because of the new pattern matching system.

Of course, the above are rather rare issues, but in the panel these previously trusted domains also show up as just allowed. For me, it's not a big issue as I've just purged my whitelist completely since the previous update because it was cluttered with old rules and now it's relatively empty, so it's reasonably easy to just update all patterns, but for other users this might be an issue.

For the majority of the users, it's already too late by now to fix this, but I advise to set up some kind of migration from old patterns to new ones if you update the pattern matching system again in the future.

Thanks for the efforts, been using this extension for ages now and I really like the new matching system 😄

Creating a separate issue for this finding found here: #25 (comment)

ScriptSafe should offer users control over as many pages as possible, which includes the new tab page. Progress is being done to achieve this as shown in this screenshot of a dev build:

What's the reason for blocking the whole Yahoo domain? I can't visit legitimate pages (i.e. Yahoo! Answers) anymore.

The new WebRTC feature breaks using the AWS console. Having it enabled causes lots of refreshing. All the relevant domains for JavaScript are enabled.

Ensure test WebRTC connection (to see if browser supports it) is terminated so it doesn't interfere with power management settings.

I suspect the problem I described in #4 is/was caused by some improper handling of IPv6 addresses. IPv6 addresses seem completely broken in scriptsafe right now.

When visiting a site that requests JS from a IPv6 address the UI applet breaks with this error:

Error in event handler for (unknown): Error: Syntax error, unrecognized expression: [rel='x_[false'] [rel='['] .x_[
at Function.fa.error (chrome-extension://oiigbmnaadbkfbmpbfijlflahbdbdgdf/js/jquery.js:2:12556)
at fa.tokenize (chrome-extension://oiigbmnaadbkfbmpbfijlflahbdbdgdf/js/jquery.js:2:18609)
at fa.select (chrome-extension://oiigbmnaadbkfbmpbfijlflahbdbdgdf/js/jquery.js:2:21417)
at Function.fa [as find] (chrome-extension://oiigbmnaadbkfbmpbfijlflahbdbdgdf/js/jquery.js:2:7143)
at n.find (chrome-extension://oiigbmnaadbkfbmpbfijlflahbdbdgdf/js/jquery.js:2:23932)
at n.fn.init (chrome-extension://oiigbmnaadbkfbmpbfijlflahbdbdgdf/js/jquery.js:2:24485)
at n (chrome-extension://oiigbmnaadbkfbmpbfijlflahbdbdgdf/js/jquery.js:2:405)
at chrome-extension://oiigbmnaadbkfbmpbfijlflahbdbdgdf/js/popup.js:130:13

Manually adding IPv6 addresses to the whitelist/blacklist is not possible either. Trying to add the entry [::1] to my whitelist shows an Invalid domain popup message.

When enabled in Chrome attempting to search from the address bar will work briefly. Eventually when searching from the address bar nothing will happen at all. For example - when searching for the term "search" this web address https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8 will pop up but only a blank white web page with absolutely nothing it appears. Sometimes reloading the page can make the Google search page pop up but the text that should have been searched will no longer be present and no results displayed. Only disabling the extension entirely when searching resolves the issue completely. The issue is intermittent but definitely connected to ScriptSafe.

After new update "Respect Same-Domain" doesn't works.
"Respect Same-Domain" is active but scriptsafe blocks facebook.com on facebook.com.
Bug?

Please put together a coherent release and then push it all at once--my computer is not your personal sandbox. Your extension is about to get uninstalled.

OS: Windows 10; Threshold 2 (Build 10586)
Browser: Chrome ver. 51.0.2704.84 m
Scriptsafe ver. 1.0.7.11
Affected site: https://tweetdeck.twitter.com/

With the Block Click-Through Referrer option enabled, I cannot open up images in my feeds to view them at larger size. They will load at small size within the feeds, my mouse cursor will change to the magnifying glass when hovering over them, but clicking does nothing.

With BCTR disabled, behavior returns to normal upon a page refresh. Turning the setting back on and refreshing causes the issue again.

Changelog for this version:

• Further important compatibility fixes for ScriptSafe to work in Chrome-derivative browsers (e.g. not crash) (issue #36 and #37)
• Greatly reduced page load times/CPU usage if you have large lists and "Block Click-Through Referrer" enabled (#15 and #38)
• Better behaviour when visiting pages on blocked domains
• Removed update notification messages based on feedback
• Better handling of post-page-load inserted content
• Updated unwanted content providers list

As well, the update page now includes the ScriptSafe title (#39)

If you're interested in helping out and testing this version, skip to step 2 in the second set of steps on: https://github.com/andryou/scriptsafe/wiki/Frequently-Asked-Questions#how-do-i-install-the-latest-version (it shouldn't take more than 2 minutes to get set up)

In addition to the above, if you'd like you can export your current ScriptSafe settings and lists into the beta version (I recommend doing this):

1. Go to the Options page for your current ScriptSafe version
2. Copy everything in the Export box at the bottom of the page into a text editor
3. Set up the beta version (using the link above)
4. Open the beta version's Options page, and copy/paste the contents you saved in step 2 into the Import box and click on Import

Download: https://dl.dropboxusercontent.com/u/784305/scriptsafe1.0.7.11_beta.zip

If you find any issues, please check if there is an existing issue for it (https://github.com/andryou/scriptsafe/issues) or comment here.

If you don't run into any issues, I'd appreciate it if you could also comment here to let me know!

Thank you!

I've been having this issue for the last two days I think, and I have it only when ScriptSafe is enabled.
When I load a page, Chrome freezes for a few seconds. On some websites it isn't really noticeable, but on others it really is.

Some examples :

• youtube freezes for at least 3 seconds every time I click a link
• every time I load a reddit page, after the page is loaded it freezes for a few seconds (sometimes up to 10) before I can actually interact with the page

My safescript version 1.0.7.8 no longer separates blocked from allowed and I do not get a temp allow all button.

I believe it is still blocking, but everything looks the same when it comes to permissions displayed. 1.0.7.7 is also different, but looks more like the older versions.

See: http://www.ted.com/talks/daniele_quercia_happy_maps

if enabled but not whitelisted, no player

If enabled but whitelisted, nothing on play

If disabled, player and works

I just wanted to make an announcement regarding updates:

• Apology: I apologize for the frequency of updates over the past week. Major updates were made to key parts of ScriptSafe, bugs were found (some very critical), leading to subsequent fixes being pushed out. This led to the number of updates being pushed out.
  • A lot has been accomplished in the past week in terms of features and optimizations (such as added regex matching support, hotkey support, WebRTC protection)
  • I thank everyone for your patience and for sticking around. I do hope you notice a significant performance improvement in your browsing experience.
• Respect Same-Domain Issue (#25): this is one of the bigger issues that I addressed in an update (v1.0.7.8) I uploaded to the Chrome Web Store at 8:45pm eastern yesterday (Sunday, June 5). Ever since it has been in a "Pending Review" status, meaning someone at Google needs to manually approve it before it is pushed out to users. I've just contacted the Chrome Web Store to inquire about the review status and that it is quite an important update. v1.0.7.8 was manually approved and published 26 hours later by Google.
• Constructive Criticism: I appreciate constructive criticism (and do take them seriously and try my best to improve ScriptSafe, as you can see from submitted issues here). Denouncing my work is not constructive or meaningful. If you're not happy with ScriptSafe, you're free to uninstall it.

Moving forward, you can expect the following:

• More updates being grouped together, and updates being pushed out when a good amount of fixes has been accumulated (exception: if any are critical fixes)
• Less critical issues experienced
• Less frequent updates

Thanks.

One very useful feature I missing with scriptsafe is hotkey to trigger "allow all blocked for session".

When I use firefox with noscript, I config "ctrl p" to temporary allow javascript to one webpage.

Thank you and your scriptsafe.

The only item listed as blocked is <NOSCRIPT>, but the log in button is greyed out unless I disable ScriptSafe.

FYI, I manually told chrome (51.0.2704.79) to check for updated extensions.

Thanks for the great extension.

With certain files (I suspect with tracking pixels), µBlock Origin tries to redirect it to some other file, but ScriptSafe hijacks the redirect, causing an extension error on Google Chrome.

Warning:

This extension failed to redirect a network request to data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw== because another extension (ScriptSafe) redirected it to data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAACklEQVR4nGMAAQAABQABDQottAAAAABJRU5ErkJggg==.

Both extension continue function as expected, thus making this more of an annoyance.

OS: Windows 10 Pro
Google Chrome: 51.0.2704.63
ScriptSafe: 1.0.7.1
µBlock Origin: 1.7.2

On a new install (v1.0.7.4), the Trusted button isn't working, and attempting to manually add **.foo.com to the whitelist on the settings page generates the following error:

options.js:280 Uncaught ReferenceError: key is not defined
    haystackSearch  @   chrome-extension://oiigbmnaadbkfbmpbfijlflahbdbdgdf/js/scriptsafe.js:291
    domainHandler   @   chrome-extension://oiigbmnaadbkfbmpbfijlflahbdbdgdf/js/scriptsafe.js:331
    addList         @   options.js:280
    whitelistlisten @   options.js:64
    dispatch        @   jquery.js:3
    r.handle        @   jquery.js:3

https://bugs.chromium.org/p/chromium/issues/detail?id=333318

This disrupts some ScriptSafe features (e.g. dynamic webbug detection, inline element blocking). In lieu of this, the chrome.webRequest.onBeforeRequest listener works quite well in controlling resource loading. In other words, ScriptSafe is still functioning as it should (what you see being blocked is actually being blocked).

Not a showstopper for us, but I was quite disappointed when I noticed a test webbug (1x1 image) wasn't being removed during my tests and found out this has been deprecated and removed in Chrome. Will need to see if there are any solutions.

Hi,

I have noticed that this extension causes an issue with Google search: when I search something and click a link -> open the website -> click browser's back button -> Google search goes to the previous search that I possibly did before this search I am talking. It basically skips one search.

Everything is working normally when I have ScriptSafe turned off, so this problem has to be related to ScripSafe. Whilisting does not work.

Hope you are still developing ScriptSafe and could look for this issue. Thanks!

I've been using ScriptSafe for years (when it was ScriptNo!) and I love it. I've found one particular thing a bit lackluster though: the ability to not only whitelist individual domains or sites, but do it on a per-site basis.

For example, I make use of free online services such as social media, and I want them to be able to continue to operate by letting them display ads to me. This requires allowing normally untrusted domains, however I ONLY want to allow those domains while I'm on their site. So, basically, I'd like a secondary whitelist where, if I visit the site, ScriptSafe is disabled or at least performs the same function as "allow all blocked for session".

I know we're getting keyboard shortcuts so that's a partial solution, but I've also found that the "allow all blocked for session" function often doesn't work, and still ends up blocking untrusted resources when the page reloads. I want something more definitive so I can know that, on site XYZ, there is no blocking occurring. 😄

Hello,

I'm having a strange issue on ScriptSafe v1.0.7.10: After updating to the latest version and synchronizing my settings/whitelist from my Google account to one of my other machines, there are sites that are in the whitelist (for example, *.twitter.com), that are still being blocked by ScriptSafe. When I attempt to trust the site, the following message displays:

ScriptSafe detected 1 existing rule(s) for twitter.com (1 whitelist and 0 blacklist).
Do you want to delete them in order to avoid conflicts?
Note: this might not necessarily remove all conflicting entries, particularly if they use regex (e.g. d?main.com).

If I select OK, I then need to refresh the page before ScriptSafe will allow the site.

This is happening on two different machines that I use to sync my settings using my Google account.

Wondering why scriptsafe now requires additional permissions:

• Read and change all your data on the websites you visit
• Change your privacy-related settings

Are there release notes as to why these new permissions are required? I didn't see any specifics, may have just missed them.

Thanks for your work!

Says
"ScriptSafe was recently updated/reloaded.

You will need to either refresh this tab, create a new tab, or restart your browser in order for ScriptSafe to work."

I've restarted the browser, the computer, disabled and re-enabled.
If I go to "options" i can check boxes but clicking "save" doesn't do anything. Using Chromium Version 38.0.2125.111 Ubuntu 14.04 (290379) (64-bit)

Sorry I'm total newb so I know I'm not going to ask the right way but I have been a long time user and have been able to follow your directions for a long time to make things work well enough to stay out of trouble but now my last pass is no longer working unless I disable. This just happened this morning. 1.0.7.11 update. Is there a setting or something I am missing now?

Does anyone know why Scriptsafe is now un-enabled every time Chrome is started? It used to always be enabled when Chrome was started. Is it some new safety feature? Thanks!

well here's a low-priority annoyance...

(on facebook.com, in this instance...) I go to Menu > More Tools > Add To Desktop ('open as window' checked), and pin this to the taskbar. Then via chrome://extensions, set a keyboard shortcut [Alt-Z] to activate ScriptSafe. A few versions back, I used to be able to use this, and the menu would appear at the top left of the window. Now it seems to either be obscured or not firing at all. Chrome also had a few updates recently, so maybe it's something on their end.

// as an aside... Chrome on XP never could activate by shortcut properly (in a "pinned app" window) anyway, 1/4 of the menu would show on the inside top-left edge of the window, but the rest was cut off by the window frame. and yes, I do still use XP at work. It's very painful, in general.

Happens at least 50% of the time and makes it very difficult to use ScriptSafe.

Pressing the script safe icon is supposed to lower the UI to allow selection of permissions. Instead of lowering all the way, it lowers only about 25% or less (about the height of two of the UI buttons). This makes it impossible to select, say "Trust" or "Temp" on any of the listed resources because they are not visible.

Repeatedly pressing the toolbar icon eventually drops the entire UI low enough to use it.

Latest version v1.0.6.19

Adding a wildcard on a subdomain to the whitelist does not allow scripts on the subdomain.

Steps:

1. add *.client-channel.google.com
2. visit mail.google.com with a logged in account, wait for the hangouts app to load
3. Observe <num>.client-channel.google.com in the blocked resources list

These servers are used by the hangouts application and are not accessed for up to 20 seconds after page load (on this machine).

please block this

Canvas Fingerprint
www.browserleaks.com/canvas

AudioContext Fingerprint
https://audiofingerprint.openwpm.com/

Battery API
http://techcrunch.com/2015/08/04/battery-attributes-can-be-used-to-track-web-users/

webrtc unique devices id's
www.browserleaks.com/webrtc

/////////

webgl fingerprint:
WebGLRenderingContext
WebGLShader
WebGLTexture
WebGL2RenderingContext

audiocontext fingerprint:
webkitAudioContext
OfflineAudioContext
AudioContext
webkitAudioContext
createDynamicsCompressor
createOscillator
OscillatorNode
webkitOfflineAudioContext

webrtc and webrtc unique devices id's:
MediaStreamTrack
RTCSessionDescription
RTCDataChannel
webkitRTCPeerConnection
RTCPeerConnection

battery status api:
getBattery

1. Launch Google Chrome with Scriptsafe v.1.0.6.19 loaded
2. Navigate to https://github.com/andryou/scriptsafe
3. Click on the green "Clone or Download" button on top-right of page, just above the repo files table
4. Notice that the dropdown content does not appear

Repeat above with ScriptSafe disabled and note that the dropdown behavior executes and renders as expected.