sticky: extensions

[Thorin-Oakenpants]

❗ please try to NOT start discussions in here, start a new issue instead. ONLY use this thread to report extensions - thank you

Use this issue for extension announcements: new, gone-to-sh*t, recommendations for adding or dropping in the wiki list 4.1: Extensions. Stick to privacy and security related items, and do not mention legacy extensions

🔸 Added Web Extensions

• ... go look on the Wiki page - not listing things twice

🔸 Pending Web Extensions

• Negotiator | GitHub
  • doesn't work (yet) full of bugs and errors - ask earthlng - worth revisiting
• Google search link fix | GitHub
  • google/yandex. Personally, I use a user script called "google privacy" which has been working for years - I should find a link for it, see if it's maintained, stick in the wiki for user scripts? -Thorin
• Searchonymous2 | GitHub
• Modify Header Value
• Referer Control
• eCleaner (Forget Button) | GitHub
  • NOTE: bulk clean per storage type: eg indexedDB, dom storage etc
  • NOTE: Is using wrong Storage API for settings??? Requires cookies in order to access local dom.
• mHeaderControl | GitHub
• Shape Shifter | GitHub
• EditThisCookie
• History AutoDelete
• FoxyProxy
  • Basic
  • Standard
• WebAPI Manager | GitHub
• Forget Me Not | GitHub
• Luminous | GitHub - JS Events handling
• 3P Request Blocker

🔸 Rejected ^{If you strongly disagree, then by all means, bring it up}

• Canvas Defender
  • nah - see FYI - Detecting Canvas Defender and recovering the original canvas value #458
• VTzilla
  • shitty privacy policy, you have to opt-out of scanning everything, but could be handy for some people, as long as they are aware of the privacy implications

...

[Atavic]

FacebookTrackingRemoval barely tested here (no FB), but I trust the dev.

edit: Not interested in Extensions that pander to a single site. The adblocking and cosmetics of hiding elements can already be done (uM, uBo .. heck, even Stylus). The link clicking/tracking can also be done not that I have uber investigated it, but rules can be created I'm sure. So unless I'm missing something.. nah - Thorin

[Decopi]

Please, I would like to submit to be added to the list, Peter Snyder add-on (WebApiManager): https://addons.mozilla.org/en-US/firefox/addon/webapi-manager/

Edit: It is already listed above in the pending section - Thorin

[Atavic]

User Agent Switcher

• AMO

• FAQ

I know current policy for spoofing, so I'll silently keep an eye on this webext.

Edit: Godamn it - no UA rubbish - Thorin

[Decopi]

Another suggestion, ClearURLs, Kevin Roebert:

https://addons.mozilla.org/en-US/firefox/addon/clearurls/

The main difference of this add-on, first is an open source, and second it has 65 rules against average of 13 rules of other similar adds-on.

Edit: added to the list above, and am testing it out myself - Thorin

[2glops]

In fact : https://addons.mozilla.org/en-US/firefox/addon/clearurls/

[Thorin-Oakenpants]

ClearURLs has some possible issues (all resolved now: April 2018)

• you need to set an extension permission exception for cookies in order to be able to log (must use localStorage for that) - fixed FF59+
• it has web_accessible_resources [1] which on the face of it seems ok. The log is viewed internally, not sure about the alert part. Can someone look into this?
• bit weird: the counter keeps going up and up per page - eg on reddit it blocks 2 items, then go next page and it climbs to 4 etc. It starts from scratch on a new tab+reddit etc. I'd rather have it PER page, not a running total. That way you can see if anything is blocked or not.

[1]

  "web_accessible_resources": [
      "siteBlockedAlert.html",
      "log.html"
  ]

[KevinRoebert]

Hi, I'am the owner of ClearURLs. I want to answere your questions:

you need to set an extension permission exception for cookies in order to be able to log. It doesn't use IDB, but somehow the cookie setting blocks storage of log data

We're saving the log with the following two functions:

/**
* Function to log all activities from ClearUrls.
* Only logging when activated.
* The log is only temporary saved in the cache and will
* permanently saved with the saveLogOnClose function.
*
* @param beforeProcessing  the url before the clear process
* @param afterProcessing   the url after the clear process
* @param rule              the rule that triggered the process
*/
function pushToLog(beforeProcessing, afterProcessing, rule)
{
    if(logging)
    {
        log.log.push(
            {
                "before": beforeProcessing,
                "after": afterProcessing,
                "rule": rule,
                "timestamp": Date.now()
            }
        );
    }
}

/**
* This function is triggered by the event windows.onRemoved and tabs.onCreated
* and will save the log permanently to the local storage.
* We only save the log anticyclically based on performance.
*/
function saveLog()
{
    if(logging)
    {
        browser.storage.local.get('resetLog', function(data) {
            if(data.resetLog)
            {
                log = {"log": []}; // Delete the old log
                browser.storage.local.set({"resetLog": false});
            }
            else
            {
                browser.storage.local.set({"log": JSON.stringify(log)});
            }
        });
    }
}

We're only save a log when the user activate the logging function. From default the logging is disabled, because it is only a feature for debugging and to make suggestions for new rules.

it has web_accessible_resources [1] which on the face of it seems ok. The log is viewed internally, not sure about the alert part. Can someone look into this?

The altert part is only a html site, that inform the user, that a whole domain was blocked, because of ad-tracking, like doubleclick{dot}net.

bit weird: the counter keeps going up and up per page - eg on reddit it blocks 2 items, then go next page and it climbs to 4 etc. It starts from scratch on a new tab+reddit etc. I'd rather have it PER page, not a running total. That way you can see if anything is blocked or not.

Yeah, this is a feature-bug :P. We will change this in the next update. So the counter will counts only the blocked fields on a page, not on a tab like now.

I am available for any questions.

[Thorin-Oakenpants]

Thanks @KevinRoebert I am not a developer, so excuse my ignorance.

---

Are you using the right storage API, because a cookie permission should not be needed AFAIK. other web extensions do not have this issue storing some local non-IDB data - I guess it depends where. Yes you would need one if it were IDB - see 1406675 and the work around ( https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.1.1-Setting-Extension-Permission-Exceptions ). It's not critical, because I can easily set a site permission exception on the UUID

FYI: WEs can access their own storage regardless of prefs using the storage API (+permission). ¹

Although this API is similar to Window.localStorage it is recommended that you don't use Window.localStorage in extension code. Firefox will clear data stored by extensions using the localStorage API in various scenarios where users clear their browsing history and data for privacy reasons, while data saved using the storage.local API will be correctly persisted in these scenarios.

¹source: @earthlng: our resident code wizard

---

Web Accessible Resources - see this issue for more info. The UUID which is unique to each install of a web extension, can be exploited in some cases. Other extensions do not require this for their UI popups, etc. Is it possible to do away with them. AFAICT, you're not injecting or doing anything to web content, just blocking requests - right? So we should be safe (told you I am not an expert!).

---

Good to know about the counter

[Thorin-Oakenpants]

@KevinRoebert Here is a comment by gorhill (the dev of uBo and uMatrix) that shows you how to bypass using web accessible resources - all over my head, but there ya go :)

Edit: OK, looks like you're injecting that alert into web pages. This could be a problem. Not your fault - it's Mozilla's fault for using a UUID per install and not masking/hiding it properly

[KevinRoebert]

Edit: OK, looks like you're injecting that alert into web pages. This could be a problem. Not your fault - it's Mozilla's fault for using a UUID per install and not masking/hiding it properly

I do not directly injecting the alert into web pages. The progress is the following:

1. ClearURLs detects a blocked domain.
2. ClearURLs rewrite the asked url to var siteBlockedAlert = browser.extension.getURL('./siteBlockedAlert.html'); (the addon intern alert page).
3. Firefox do not visited the asked domain, firefox visited the rewritet addon intern domain.
4. So the displayed url is something like that: moz-extension://9b334143-726d-4afb-8aa4-930b025ae4b5/siteBlockedAlert.html

This is the code for the rewrite:

/*
 * Cancel the Request and redirect to the site blocked alert page,
* to inform the user about the full url blocking.
*/
if(result.cancel){
     return {
          redirectUrl: siteBlockedAlert
      };
}

And will be evaluate here on line 7:

/**
* Call by each Request and checking the url.
*
* @type {Array}
*/
browser.webRequest.onBeforeRequest.addListener(
    clearUrl,
    {urls: ["<all_urls>"]},
    ["blocking"]
);

[Thorin-Oakenpants]

Thanks for the info 👍 I saw an image on AMO (the third one) and to me it looked like the alert was placed in the web page in lieu of a blocked element or something - it doesn't reach the edges of the page. Sorry if the term "inject" is not correct (told ya I was a dummy) :)

[Thorin-Oakenpants]

Added Forget Me Not | GitHub to the list above to keep an eye on etc.

This may get closer to the all-in-one persistent storage extension I am dreaming of. Blacklist all (delete after domain no longer open), whitelist (keep), greylist (session only) etc. But it has issues due to FF limitations such as FPI, containers, PB mode, localStorage by host (FF58+) being the main ones.

It does have some extra items such as history, form data, service workers, certs, IDB - but they're listed under clear all. So far the ONLY thing cleaned by domain is cookies (and localStorage in FF58+), and you can do that with C-AD. Still, worth keeping an eye on maybe.

[Atavic]

Nano Adblocker Beta is out, I hope someone will test it as I do.

[ghost]

Concerning the WebApi Manager Firefox extension in the context of sites using IndexedDB when cookies are not blocked (Issue #294), among all its features there is one which deals with that, listed in the extension's Options / Storage / Indexed Database API item: blocking it forbids sites from using IndexedDB without altering Webextensions which need it, which is interesting at least until the arrival of Firefox 59 which is announced as resolving this issue.

[verlain3]

Does Cookie AutoDelete works now with LocalStorage on Firefox 58 that came out today?

[ghost]

Does Cookie AutoDelete works now with LocalStorage on Firefox 58 that came out today?

And the answer is... yes!
Provided the user has checked the option in Cookie Autodelete's settings' Localstorage Cleanup (Firefox 58+)

[Forsaked]

Does Request Control still work for you guys?
It looks like it stopped working for me weeks ago, even with a vanilla profile no user.js and no other extensions it doesn't do anything with it basic rules or custom rules.

Edit: Running 58.0

[Atavic]

Request Control 1.7.1 on FF ESR 52.0 32-bit works:
https://github.com/tumpio/requestcontrol/wiki/Testing-links

[Thorin-Oakenpants]

1.8.6 on FF57 seems to work for me: my little imdb stripper rule worked. I do know it was broken for one release about 2 months ago

[crssi]

@Thorin-Oakenpants would you mind to share this little imdb stripper rule?

[Forsaked]

Cross checked with work Computer, works fine here but not at home.
Even with a new vanilla profile it doesn't seems to work there.
I hope it is not Malwarebytes again, which f***ed up my last profile 4 weeks ago.

Edit:

Found the culprit!
The basic rules after removing Request Control and adding it again worked, so i rebuild the sample rules from #149 and now they are working fine.
Looks like something changed in the extension and my exported rules.json from before WE was somehow bad.

[forteller]

I would like to recommend adding the extension Redirect AMP to HTML. Google is trying to gather as much information about everyones browsing habits as possible, and to eat up as many web services as possible. Now they've gone so far as to host other peoples content for them. This is very destructive to the web, and your privacy. Read more about it here: https://danielmiessler.com/blog/google-amp-not-good-thing/

This extension redirects you away from AMP, so you don't use it yourself and don't link others to it when sharing the link. It's very important to send the message to newspapers and everyone that we don't want Google to own the web, we don't want AMP.

Thanks!

[grauenwolfe]

CSS Exfil Protection

Based on reading about this on Bleeping Computer earlier today. Anyone already familiar with this BS?

With the recent upgrades to the CSS language, CSS code has become a powerful tool that could be abused to track users on websites, extract and steal data from a web page, collect data entered inside form fields (including passwords), and even deanonymize Dark Web users in some scenarios.

Over the past month, three interesting research projects have tackled CSS as an attack vector, showing how this once benign language could be turned against users.

Article on Bleeping:
CSS Code Can Be Abused to Collect Sensitive User Data

[Thorin-Oakenpants]

^^ continue it here: #343 (comment)

[crssi]

FYI:
If you block access to storage\temporary folder then you can't manage rules in "Header Editor" addon.

Cheers

[crssi]

No, no, you got me wrong. CSS Exfil doesn't have nothing with that.
Its general. The sub folder "storage\temporary" in profile folder.
I had for some reason (testing) for a long time now, deleted this folder and created a file with the same name, to block its usage. And in this case I can't manage rules in "Header Editor" addon.
The same I had done long time ago with "storage\default", but now, for obvious reasons how WEs storage works (, this is not a case anymore.

[Thorin-Oakenpants]

that's an IDB folder (but IDB can also be used by web workers - eg think of uBO's web worker when searching for the block via logger in the 3rd party filters). I can't find the doc (I swear it was in MDN docs) about temporary folder use. It was an entry about those default-permanent-temporary storage folders - and from what I remember, the temporary one was nothing to worry about - I think it HAS to clean up after itself when finished. I should find that doc again.

this might have been it: https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API/Browser_storage_limits_and_eviction_criteria - I can't tell because the whole Storage v2 is rolling out AFAIK (edit: yup, its changed a bit from memory - I think all the storage quota stuff is new and LRUs - page updated a month ago)

Users shouldn’t add their own directories or files under <profile>/storage. This will cause storage initialization to fail; for example open() will fire an error event.

[crssi]

@Atavic it looks Containerise is better alternative to Multi-Account Containers, for example permanent containers created within is not deleted by TC... at least from what I see.

[curiosity-seeker]

@crssi

it looks Containerise is better alternative to Multi-Account Containers, for example permanent containers created within is not deleted by TC

I've never seen this on my system. Permanent containers in MAC have never collided with TC so far.

[curiosity-seeker]

If permanent container is created in FF settings then not, but if they are created over MAC, then after TC cleansing those are gone

Well, not here. I always create them in MAC.

[curiosity-seeker]

So am I.

[curiosity-seeker]

No, I haven't tried that yet. I'm afraid we're getting a bit OT here ;-)

[KevinRoebert]

Hello. I just wanted to say that ClearURLs moved to GitLab. The repository can now be accessed via the following link: https://gitlab.com/KevinRoebert/ClearUrls

[Thorin-Oakenpants]

@KevinRoebert Thanks. I've fixed our link. PS: in your readme (on github) notice you misspelled "Official" (missing the second i )

[Thorin-Oakenpants]

https://addons.mozilla.org/firefox/addon/universal-bypass/ - if anyone wants to check it out (excuse my ignorance on link shorteners) does this bypass giving away your browsing to the relevant parties (like the EvilCorp AMP bullshit)?

PS: I never click on shortened links anyway - f*ck em, but I'm intrigued, especially since we have an issue about AMP and also added a link to a remove_t.co user script in the wiki

[claustromaniac]

does this bypass giving away your browsing to the relevant parties

In short: yes.

AFAICT It's merely a convenience thing. It helps speed things up a bit, and it might help avoid unwanted side effects of clicking scripted buttons on those sites (like redirections and whatnot). The extension still needs you to allow scripts on most (if not all) of those URL shortening sites, though, so that last part might not be of much relevance anyway.

(like the EvilCorp AMP bullshit)

If you're refering to the Redirect AMP to HTML extension, I'd say that extension is just not meant to protect one's privacy in any way. It's a useful extension, just not privacy-wise.

EDIT: Got my confirmation. https://github.com/da2x/amp2html/issues/7

[claustromaniac]

I never click on shortened links anyway

Going a little OT: you might want to add those domains to your uBO filters, just in case. Before checking out that extension I wasn't even aware there were that many link-shortening sites out there...

[Thorin-Oakenpants]

(like the EvilCorp AMP bullshit)

If you're refering to the Redirect AMP to HTML extension

Nope. By bullshit, I mean 3rd parties sitting between me and the content... yet another asshole clipping the ticket

[claustromaniac]

I was going to make my own extension for this but I found one that looks good: Detect Cloudflare | GitHub

I was a little bit surprised when I found the Block Cloudflare MITM extension is not listed here. Should I have posted this in #310 instead?

I also found Claire, but I like the visibility of Detect Cloudflare and the fact that it lists all third party domains that go through Cloudflare as well.

[Thorin-Oakenpants]

detect cloudflare .. so 50% of sites I visit and growing - I think it's a losing battle TBH. Block Cloudflare is too extreme IMO - i think i've covered this before, but you can just block cloudflare in uM (right?, or is it not apparent and gets loaded via a redirect or something? sorry for using the correct technical terms for shit).

Claire looks kinda cool - shows HTTP2 and IPv6. Maybe we should discuss all this in a new topic

[Thorin-Oakenpants]

since we block HTTP2 and will do so for IPv6 (and NFI what a ray thingy is) .. I kinda like Detect Cloudflare especially the distinction tween orange and red

[claustromaniac]

I think it's a losing battle TBH. Block Cloudflare is too extreme IMO

I agree. Blocking is not for everyone. Not for many, even.

you can just block cloudflare in uM (right?, or is it not apparent and gets loaded via a redirect or something?

CF in the broadest sense is a CDN. It offers part of its services by delivering content as a third party (Decentraleyes covers some or all of these), and that part can be blocked with uM, uBO, etc. The worrying part from a security/privacy perspective is their service as a reverse proxy. That's what people refer to when they say CF is MITM'ing users. CF sits between the server and you, and some or all HTTPS traffic gets decrypted and re-encrypted along the way without your consent (but with the server's consent, since they are the ones using CF).

CF uses a number of custom headers, including the CF-Ray header, that can be used to detect its presence as a reverse proxy. That's what these extensions do.

I generally don't give a shit about CF because I don't use most websites I visit for personal stuff, but sometimes I want to know if CF is routing the traffic or not. Sure, I could just check the headers myself, but that gets tedious pretty fast. The extension not only saves me that trouble, but also serves as a constant reminder that I shouldn't blindly trust the padlock next to the URL.

[Thorin-Oakenpants]

Am thinking we should add Bitwarden to the wiki - personally, I plan on wiping all my FF saved passwords and disabling it, and using Bitwarden instead. Haven't really looked at the whole thing, but FF's encryption of passwords isn't meant to be the greatest (but I do not consider my PC to be under any threat). No other password manager extension comes close to BW, right? Anyone got any opinions?

might need to retire this issue and start a clean new one, and review what's been covered in the hundred comments

[curiosity-seeker]

No other password manager extension comes close to BW, right?

Hm. There have been several concerns (example) about the security of LastPass. What makes you sure that Bitworden does it better?

[Thorin-Oakenpants]

My understanding is that the data is encrypted locally and no-one but you can decrypt it, so the cloud versions for syncing cannot be compromised. Maybe I need to actually read up on the exact features. Plus it's open source AFAIK

Edit:

• https://github.com/bitwarden/
• https://addons.mozilla.org/firefox/addon/bitwarden-password-manager/

Bitwarden stores all of your logins in an encrypted vault that syncs across all of your devices. Since it's fully encrypted before it ever leaves your device, only you have access to your data. Not even the team at Bitwarden can read your data, even if we wanted to. Your data is sealed with AES-256 bit encryption, salted hashing, and PBKDF2 SHA-256.

Bitwarden is 100% open source software. The source code for Bitwarden is hosted on GitHub and everyone is free to review, audit, and contribute to the Bitwarden codebase.

[curiosity-seeker]

Yes, this is exactly how Lastpass does it, too - see, e.g., https://www.lastpass.com/how-lastpass-works . And yet there seem to exist - or, at least, existed - implementation errors. They attracted attention because Lastpass is the most popular password manager. Who knows if Bitwarden is affected by similar flaws.

I am not sure if you should recommend any cloud-based password manager. There are many users who refrain from using them because of security concerns.

[Thorin-Oakenpants]

Hmmm .. I thought LastPass had all the keys, so to speak. Something I did for a client a few weeks ago really led me to believe they could see it all (password info rendered into an https page - I think it was either the print output or an online vault page or something). I guess not. BTW, a quick search unearthed this

https://hackernoon.com/psa-lastpass-does-not-encrypt-everything-in-your-vault-8722d69b2032

Not that BW couldn't have issues as well. BTW, BW allows you to use any cloud, including your own (but yeah, most people couldn't do that and would be even less able to make it secure)

[claustromaniac]

Lately, I've been trying out MasterPassword (GitHub). I like the concept a lot, but I wish it were possible to create longer passwords. It can at most generate 20-char-long passwords AFAICT. I wouldn't use it for anything super important, for that reason.

Also, I see a theoretical downside to it: if an attacker got ahold of ONE of your passwords that were generated with MasterPassword, and if he knew that you use that extension, by reversing the algorithm it should be possible for them to get ahold of ALL of your passwords generated that way. It's a scary worst-case scenario, but they have to be targeting YOU, which to me sounds a lot less likely than getting your passwords stolen from a high-profile cloud service like LastPass or the like (except maybe a self-hosted BW instance, of course).

[fmarier]

Lately, I've been trying out MasterPassword (GitHub). I like the concept a lot, but I wish it were possible to create longer passwords. It can at most generate 20-char-long passwords AFAICT. I wouldn't use it for anything super important, for that reason.

That concept is usually called "password generators". The adblockplus guy reviewed the security details of all of the ones he could find and ended up writing his own.

[claustromaniac]

Thanks for the info, @fmarier !

[claustromaniac]

Just FYI, regarding the Detect Cloudflare extension that I mentioned previously, I released a fork of it with some minor changes here.

[Thorin-Oakenpants]

I prefer toolbar icons, so everything is visually in one place

[claustromaniac]

I prefer a Page Action for this one because I don't need to see the extension's icon when CF is not detected. It just wastes valuable space on smaller screens.

I opened a pull request to commit the other significant difference to the original extension. If it is merged, the behavior of the icon will be the only difference left between the original and my fork. I considered making more changes but maybe some other time :)