sticky: extensions

[Thorin-Oakenpants]

previous threads #294 #211 #12
woo... the old issue of 294 is a palindrome of this issue 492 ... spooky 👻

---

Use this issue for extension announcements: new, gone-to-sh*t, recommendations for adding or dropping in the wiki list 4.1: Extensions. Stick to privacy and security related items

🔸 possible additions

• Modify Header Value
• mHeaderControl | GitHub
• Referer Control
• History AutoDelete
• WebAPI Manager | GitHub
• Forget Me Not | GitHub
• CookieBro
• Luminous | GitHub - JS Events handling
• FoxyProxy
  • Basic
  • Standard

🔸 nah ^{feel free to discuss}

• Canvas Defender
  • nah. see FYI - Detecting Canvas Defender and recovering the original canvas value #458 , Canvas Blocker is far superior
• Google search link fix | GitHub
  • google/yandex. Personally, I suggest using something more universal
• VTzilla
  • shitty privacy policy, you have to opt-out of scanning everything, but could be handy for some people, as long as they are aware of the privacy implications
• Searchonymous2 | GitHub
  • use containers if you want to separate google search from logged in google services
• eCleaner (Forget Button) | GitHub
  • abandoned since Sept 2017, and outstanding issues. Forget Me Not looks better for this kind of thing
• Shape Shifter | GitHub
  • abandoned since Aug 2017, doesn't really offer anything not already covered
• Negotiator | GitHub
  • abandoned since July 2017 (and it had some issues/flaws according to the big E)

...

[claustromaniac]

I think another decent candidate for a [tools] section would be uBO-Scope.

Well, if the idea is to separate privacy/security-related but non-protecting extension into a separate list, then any extensions like the legacy SSleuth would belong in there too, right? BTW, I kinda miss SSleuth.

[Just-me-ghacks]

3P Request Blocker - Page not found

[practik]

re #294 (comment)

Forget Me Not … work very unreliable

@crssi , do you remember what problems you found with FMN? I ask because I've been trying it out for about a week (after using Cookie AutoDelete for nearly a year), and so far FMN has been just as good as CAD, in some ways even better. What should I be watching out for?

[Atavic]

@Just-me-ghacks https://addons.mozilla.org/en-GB/firefox/addon/tprb/

[crssi]

@practik
Yes. What I have found back then is that FMN worked well until it decided to not to.
It was very random, sometimes few minutes after browsing, sometimes an hour or so, but at one moment it stopped to delete cookies after, until FF restart.
Since I have not returned to FMN now for months, it might be already sorted out.
I would say for you to just check, every once and a while, if cookies are removed as they should.
Cheers

[practik]

^^ !! That's bad. But it hasn't done that for me so far. Hopefully it is sorted out, it's gone through a few updates since you tested it. I'll keep an eye on it. Thanks!

[grauenwolfe]

Whoa, Luminous looks like it could be badass. Anyone using it already?

[Atavic]

I have it on an install used for unlogged browsing (like no github or webmail) only.

I block events like beforeunload and all the events related to mouse movements, like mouseover, etc.

See: https://gbaptista.github.io/luminous/doc/en-US/

[grauenwolfe]

@Atavic
Very down-to-earth but still entirely thorough documentation. Hopefully it can actually help me deal with all of the internet's rampant annoyances. Probably try it out soon on another machine and see how it does.

[Thorin-Oakenpants]

BTW, I kinda miss SSleuth.

• https://github.com/sibiantony/ssleuth/issues/78#issuecomment-392271507
• example extension: https://addons.mozilla.org/en-US/firefox/addon/certainly-something/
• API ticket: https://bugzilla.mozilla.org/show_bug.cgi?id=1322748

So no idea when or what SSleuth Web Ext will look like

[claustromaniac]

Ah, great. I was about to mention that I renamed my repo and now the link to Detect Cloudflare PA should be broken, but it seems Github is smart enough to redirect folks to the new URL. 🎉

I still want to mention that I went ahead and listed it on AMO. Traktofon seems to be MIA or something, and I was bored, so I also added a toolbar icon to it and made the address bar icon optional, among many other thingies.

So far it works great for me. The only significant issue left to fix seems to be that it can't always behave as expected when the backward or forward navigation actions are used, but that one seems kinda painful to fix compared to the other issues that I already fixed. I may eventually work on that, though.

Anyway, I thought you may want to know.

👖 : modified the wiki to only point to your fork - its not really a fork anymore IMO

[Kraxys]

I would like to advice for 3 extensions:

1. The 2 natural companions of I think every meticulous proxy or vpn user:

• Change Timezone:
  https://addons.mozilla.org/en-GB/firefox/addon/change-timezone-time-shift
• Location Guard:
  https://addons.mozilla.org/en-GB/firefox/addon/location-guard/

With these 2 addons you can make your system time zone and and wifi geolocation be in accordance with the IP geolocation and local time zone of the proxy/vpn server you are using. Not a one click process, though. But this avoids increasing your entropy by wearing a Russian ip and in the the same time a system wifi geolocation and date settings that show you near Melbourne.

2. BP Block Font Fingerprint:
   https://addons.mozilla.org/en-US/firefox/addon/bp-block-font-fingerprint
   This extension avoid the detection of any font or any unique glyph, without impairing la appearance of the page (as setting the pref browser.display.use_document_fonts to 0 does).

[crssi]

0 font detection will make you unique for sure.

[earthlng]

re: BP Block Font Fingerprint:

0 font detection will make you unique for sure.

not only will it make you pretty unique because very few people use something like this extension,
the extension itself also has several flaws.

1. it comes with a absurdly long list of domains it considers "trusted" and which it allows to detect fonts if they want to. Among these domains are pretty much all google domains, twitter, facebook to name but a few ?!?!
2. it's easily detectable if sites cared to look. The functions it uses to overwrite certain things can be read
3. it's easily blockable with a CSP that doesn't allow inline JS in which case it's completely useless

but thanks to this extension suggestion I looked at fonts again in general and I found some things which I think we need to improve in the user.js. I'll open a new issue to discuss them

[Kraxys]

@CRSI & earthing
I agree concerning the unicity created by BP Block Font Fingerprint. And thanks in particular to Earthing to make clear this extension had some fundamentals flaws.

What's your opinion concerning my suggestions about Change TimeZone and Location Guard, in order precisely to diminish the entropy raised by using a vpn/proxy server having time and location characteristics than those of the system's user?

For location, blocking geo wifi in preference may be considered as sufficient (except if the browsed site mandatory want geo wifi data, a case where the use of Location Guard could be useful). But not geoblocking and instead spoofing geo wifi with Location Guard accordingly to the proxy server used, puts the user on a safer side in the point of view a spoofing: The location provided by the proxy server IP is in that case confirmed by geo wifi data sent by the browser, so reinforcing its likelihood.

Concerning Change Timezone, this extension solves a sharper problem as there isn't in FF's preference anything as "don't send any date time-zone data" (as it was the case for location with blocking geo wifi preference). Blocking these data from being sent could maybe be achieved with some uMatrix or NoScript setting, but it then raise an unicity flag, as not letting the browser send them is not a common behavior.

[Atavic]

https://github.com/dessant/clear-browsing-data seems rich in options.
Do they cover anything interesting?

[Kraxys]

Clear Browsing Data seems interesting. But after installing it, it seems not able, neither to clear browsing data when the browser closes, nor when it starts. Only during the browsing session.

In order to sanitize a browsing session as soon as it begins, there is StorageErazor: It clears Cache, Local Storage and IndexedDB each time the browser starts. The IndexedDB clearing is important, since 1) blocking IndexedDB in FF preference breaks some site 2) Cookies Autodeleted doesn't handle IndexedDB.

Maybe Clear Browsing Data and StorageErazor may be seen as complementary each other.

[practik]

StorageErazor: It clears Cache, Local Storage and IndexedDB each time the browser starts. The IndexedDB clearing is important

Actually, you can do this without any extension simply by setting Firefox to clear "Offline Website Data" on shutdown (see section 2803 of ghacks-user.js, or Cookie-AutoDelete/Cookie-AutoDelete#171 (comment)).

[Kraxys]

@practik :Thanks for this information. I didn't know checking "clear Offline Website Data" erased indexedDB. This strongly reduces the usefulness of StorageErazor, but I will nevertheless keep this addon enable and "clear Offline Website Data" checked, as the second works when the browser closes, and the first, when it starts, so that I'm absolutely sure to begin each browsing session on a neat basis :)

Other addons I suggest are the ones permitting to block Authentication:
Along ip-check.info:

"Many browsers allow web sites to send hidden authentication data to third party sites. Example:

This may either happen directly on the current page or in an iframe, and does NOT need JavaScript. If additionally iFrames and JavaScript are used, even the currently loaded page may get your ID. This data is deleted when the browser is closed, but, execpt for this, has the same effect as third party cookies.

Your browser should not send any HTTP authentication data to third party sites.

Currently known to be affected are: Chrome, Safari, Firefox".

I don't know whether or not all that is completely up-to-date, but if it remains true, I think it would be wise to prevent tracking via Authorization.

I currently have found 2 addons permitting that:
Authentication Tracking Blocker and Block Http Authentication

Notice that blocking Authentication is one of the feature of Chameleon, too. This addon has many other interesting features (as optionnally spoofing time, screen size and ClientRects), and while using it may increase entropy, I think that when properly used, it can in fact reduce it (eg when spoofing your system time accordingly the time of the proxy server you are using, or when spoofing screen size with the most common ones for desktop PC, such as 1366x768 or 1920x1080).

[crssi]

@Kraxys do you have any example site using Authentication?

[Atavic]

Here the headers are described.

[crssi]

@Atavic thank you, but I didn't mean a description, but a real case site using it. 😄

[Atavic]

I haven't seen any, you got to use Fiddler, Charles Proxy or similar tools to debug headers responses.

[crssi]

Using Fiddler here for years (now you made me to look at Charles Proxy, for which I have never heard before 😄) and also found one at https://www.amainhobbies.com/ over XHR. Interesting at this site is also that login doesn't work when EvilCorp analytics is blocked.. WTF.

[Atavic]

Charles is not free and has a Mac version. Privoxy is another proxy that changes or crunches headers.

[sanjayen]

Please change the Decentraleyes rules to add to uBlock Origin URL to https://git.synz.io/Synzvato/decentraleyes/wikis/Frequently-Asked-Questions#for-umatrix-and-ublock-origin-non-easy-mode-users

Thorin - Thanks, done 👍

[ghost]

The very concept of allowing sites to store anything else than cookies

Because they have valid use cases. It's part of the standards.

There may be valid use cases (I linger to know which ones) but meanwhile they allow sites to lay data in my IndexedDB storage folder without the reason being obvious to me.

If I've set the cookie behavior to block all by default with exceptions set by me it is because of what allowing cookies leads to: why does bostonglobe.com lay data in my IndexedDB, why does youtube.com as well? Maybe we're in the same scenario as plain cookies where sites use them even when not required: a valid feature abused by some, many websites.

I just do not want and do not accept a website downloading data in my browser profile without my explicit authorization. Hence blocking all cookies by default but more: should I be interested by a site to the point of accepting its cookies that I'd forget that site should allowing its cookies extend to that site creating its indexedDB in my profile. Same with localStorage: no persistent cookie (Allow exception) for a site that lays data in my localStorage (webappstore.sqlite) which I clean anyway once Firefox is closed.

In other words, yes for basic cookies, no no and systematic no to persistent localStorage (never persistent with session cookies) and ultimately no to indexedDB in my profile for anything else than that of the Webextensions i've installed.

What we all observe is that a browser includes features which are meant for the best user experience (I do not have in mind developers aiming to trick users on the basis of industry lobbying requirements, no conspiracy theory) and that these valuable features are exploited by some websites for their own profit and not for the user's advantage. Hence the amount of defense mechanisms developed by users, by Ghacks-user.js itself to start with, aiming at preserving the best and controlling maybe not the worst natively but the worst as what sites occasionally do with the best.

And this is only the beginning, IMO. Whatever the best intentions the trend is and remains digging into users' life. period.

[Thorin-Oakenpants]

Yeah look. They are valid mechanisms, but like everything else, they get abused.

Personally, I have had cookies blocked by default for the last 5+ years. I've allowed sites I log into a cookie (about 10 sites over the years, currently just four), I've allowed about 6 more sites a session cookie to function (and blocked them in uMatrix in headers). That's about it. I've never seen any persistent localStorage or IDB shit in all that time, and the web works for me just fine. Just think of the tens of millions of things I didn't have to clean up or have tracking me

[ghost]

That's what I do as well. I just happen to find this way of proceeding a bit radical.
Anyway, "no woman no cry" and "no browser no cry". We love 'em both.

[Thorin-Oakenpants]

@Kraxys said

Just discovered the FF addon Site Bleacher. It automatically clears coolies, local storage and indexedDB as soon as the les tab relative to a domain is closed. Far less options than CAD but Site Bleacher clears indexedDB, what CAD can't.

I said

there is no extension API available to clear IDB by domain

and Indexed DBs are removed when first site tab is open, so sites are unable to access data from previous session

if I read that correctly, it says IDBs (plural) are removed when you visit your first website after opening the browser - see the words "from previous session". I don't think English is the author's first language - that sentence is very unclear.

You can already do this, btw, by clearing data on close

@crssi said

I read it as when fist tab of specific domain is opened the IDB is cleared for this very domain, which makes sense

I said

Why don't you test it

@crssi said

Well, yes and no. If WE injects a code to delete IDB into the visited site, then it can be deleted.
I assume that the "Site Bleacher" does that and deletes IDB if this is the first tab to open that particular site/domain.

I have tested the Site Bleacher... not that I need it, since I am using TC for that purpose, but Site Bleacher is successful in deleting IDB.

Did you test it?

[Thorin-Oakenpants]

Did you test it?

No. I don't have time. I'm not an expert, but I have questions about this

• script injection doesn't sound good (this could expose the UUID? the function can be detected? issues with CSP? issues with rolling the dice with other extensions?)
• it only works on pages that allow JS (but then JS would be needed to read existing IDB entries?)
• timing, overhead - it has to inject a script and run it before the site run's it's script
• how does it detect the domain IDB entries - I am not an expert on IDB, but it is NoSQL - is there a way to enumerate all databases for the current domain? When I coded some a little while back, i had to provide the data store name

[ghost]

I've installed and use this Site Bleacher Firefox extension in place of previous ForgetMeNot.
If Site Bleacher indeed wipes a site's cookies and localStorage (unless whitelisted by Site Blocker) once the site closed, it fails to remove any IndexedDB data set by that site. I've tried with my two testing sites which both lay their IndexedDB when cookies aren't blocked for them, bostonglobe.com and youtube.com and in neither case were their IDB cleaned up, unfortunately.

But Site Bleacher does the job perfectly well for cookies and localStorage, and weighs only around 50KB I think.

[Thorin-Oakenpants]

once the site closed, it fails to remove any IndexedDB data set by that site

It (supposedly) removes it when you open the site (but not subsequent pages if you already have tab of it open)

[ghost]

It (supposedly) removes it when you open the site (but not subsequent pages if you already have tab of it open)

If I remember correctly, but I'd have to test again, it may have removed bostonglobe's IDB but I'm sure it didn't remove youtube's IDB. There's also something special with youtube' IDB foler name which ends with something like '3rd-party' ...

I'll test again right now. Stay tuned :=)

[ghost]

My 1st comment confirmed : neither bostonglobe nor youtube have had their IDB wiped by Site Bleacher.

Usually, default, my network.cookie.cookieBehavior = 2 = block all
For the test I've set network.cookie.cookieBehavior = 1 = Block third-party cookies

Opened bostonglobe.com and IDB folder name was:
https+++www.bostonglobe.com^firstPartyDomain=bostonglobe.com

Opened youtube.com and IDB folder name was:
https+++www.youtube.com^firstPartyDomain=youtube.com

=> Neither wiped by Site Bleacher.

I use in fact Site Bleacher in order to create the 'Allow Temporary Cookie' which was handled by some legacy add-ons, that is accept cookie when on site then remove, which was the 3rd option afer what we know of session cookies and allow cookies (which remain after FF restart).

Global cookie policy : block all
Exceptions:
Allow and keep (3 sites) or Allow for session (several because they require cookie authorization to display correctly (i.e. userstyles.org) either because I want to log in.

For these exceptions I don't want the cookie to remain once i've quit the site => Site Bleacher or ForgetMeNot.
I know these cookies (set with network.cookie.lifetimePolicy = 2 = session) would be removed once FF closed, but I just don't like cookies following me even within the session only when in fact I needed them only for visiting the site.
Mastering the scenarios at 100%

[crssi]

@Thorin-Oakenpants
I have never said that WE injects the code. I have used IF. Author should tell us or we should peek into the code to be sure what method is used.

The question was, does this WE clear IDB. And my tests shows that it does.
I didn't comment that the method is good and what implications are behind, since that was not a question at start.

@StanGets The fact that the IDB files are there, does not mean that those IDB's were not data cleared.

TEST 1:

1. Start with plain vanilla.
2. Visit the https://www.hotcleaner.com/cleaning-software-test.html and https://demo.agektmr.com/storage/
3. Make some choices
4. Close both tabs
5. Revisit sites and observe the results

You will see that IDB and LS and Cookies was filled in the previous visit and not cleared.

TEST 2:

1. Start with plain vanilla.
2. Install Site Bleacher WE.
3. Visit the https://www.hotcleaner.com/cleaning-software-test.html and https://demo.agektmr.com/storage/
4. Make some choices
5. Close both tabs
6. Revisit sites and observe the results

You will see that IDB, LS and Cookies were cleared and does not show the data from the last visit on revisit.

[Thorin-Oakenpants]

I haven't got time to look at this. This sucks, I had a bookmark for testing IDB. You added a title, and then some text. Add as many as you want. When you came back it would display your stored data. This is all you need - because what you entered was unique

https://demo.agektmr.com/storage/ looks like it might do the job for a test.

[crssi]

I have looked into a source code and I guess my guessing was right... the code injection is involved.

This is the code injected:

    const oldIndexedDBOpen = window.indexedDB.open;
    function newIndexedDBOpen(arg1) {
        const e = new CustomEvent("new_indexdb", {
            detail: arg1
        });
        document.dispatchEvent(e);
        return oldIndexedDBOpen.apply(this, [arg1]);
    }
    newIndexedDBOpen.bind(window.indexedDB);
    window.indexedDB.open = newIndexedDBOpen;

This opens all your valid questions about if this is good or not.
As I said before, I am not using this extension and I am not intent to use it, since everything is covered by TC here.

Cheers

[Thorin-Oakenpants]

This is it: https://static.raymondcamden.com/demos/2014/feb/7/index.html#/home

Now use that to stick in unique data

[crssi]

^^ I have now tested on the page you suggested and revisiting the page comes out clean, IDB cleared.

But since we have a working solution already, I would not analyze this extension anymore... and it raises too many other valid questions... detection of this extension, CSP, does it work when JS is disabled... and on and on.

[Thorin-Oakenpants]

First of all, it doesn't clean up after itself, because naturally, it only cleans when you open the domain, and it can't wipe folders etc. But you can do all that, sanitizing, on close. There is an option to whitelist until close (in other words, session a domain), but to me that's the same as whitelisting, because you clear on close.

The very first time I tested it, the extension didn't do anything, until I clicked on settings on the icon. And even though I didn't change anything, THEN it worked. I hope that was just a one off and not for every domain.

- make sure nothing is deleted on close (keep all cookies and shit)
- visit test page
- add a note, e.g Chocolate Cake
- close page
- open page (see your note is still there)
- close browser
- open browser & visit page (see your note is still there)
- close page (don't leave it open)
- enable/install extension
- close browser (important)
- open browser, go to test page - your data is still there
   ^^ FAILED on first attempt
- after that it seemed to work as expected

Here are my french fries

As long as I closed all instances of the test page, the next time I opened it, it was emptied. This will leave persistent disk data (forensics), but will prevent the website from accessing it next time you visit.

I do not know about the rest of the potential issues such as detecting script injection, function names, leaking UUID, and causing issues with other extensions, or even failing on sites with CSP or whatever.

That said, it's a metric fuck-tonne better than C-AD regards leaving orphaned data around to be re-used to track you

[Thorin-Oakenpants]

does it work when JS is disabled

Well, without JS, the data can't be read either

[Thorin-Oakenpants]

I do have questions over the third party data, it should be cleaning ALL data by first party IMO, and I'm not in a position to test it all - but using the storage inspector and a site that uses IDB on 3rd party should would be a start

[crssi]

First time it failed because you had the test page opened in time you had installed WE. ;)

Well, without JS, the data can't be read either

Sure it is, but what when you enable JS in the middle of loading page?

[Thorin-Oakenpants]

Bollocks. The page was not open in the session at all, and the extension was up and running and installed. Repeat from what I said earlier

- close page (don't leave it open)
- enable/install extension
- close browser (important)
- open browser, go to test page - your data is still there
   ^^ FAILED on first attempt

pages closed before installing extension and not opened until after extension on
closed the browser even
opened the browser, first new session, extension is on .. and it failed, but only that first time. The button had a red [1] on it and everything

---

but what when you enable JS in the middle of loading page

in the middle of loading a page? wot? That's not normal bro, see a doctor.

[atomGit]

There is an option to whitelist until close (in other words, session a domain), but to me that's the same as whitelisting, because you clear on close.

you may be referring to the same issue i raised with the dev - this is his reply...

Unfortunate wording, changed to "whitelist tab" only, means cookies won't be deleted on domain changes like usual, helps with sites where you are redirected to another domain for login

[crssi]

in the middle of loading a page?

I was thinking not to underestimate a standard user diversity of usage.

That's not normal bro, see a doctor.

With all the respect, lady, from the lately insulting and aggressiveness I am more thinking to see out of here. Obviously I am just wasting your time and I am sorry for that.

Cheers

[atomGit]

that comment was rather rude pants - i know you mean well, but you can be quite abrasive at times - and i know how to spot those people because i'm one of them unfortunately

[Thorin-Oakenpants]

You're just reading too much into my words. I'm not being aggressive or insulting at all - at least not the way I said it in my head as I typed it.

Yes you're right to always think of possible situations - the permutations, etc. But loading JS partway thru a page load seems almost impossible. In most cases a user would enable js and reload - e.g changes to tweaking uM, uBO, etc. I'm not even sure how you could enable it part way thru a page load

[Thorin-Oakenpants]

Sure it is, but what when you enable JS in the middle of loading page?

Here you go. If you have JS disabled and load the page. Then you enable JS and reload the page, does the extension then treat the reload as the FIRST time it was opened? Probably not.

[Thorin-Oakenpants]

Here's the thing guys and gals, and I'll try and be more selective with words in future

Slang/idioms, tone, and emotion, do not translate well across text. To me what I said was something lighthearted and slightly comedic - in my realm of real life people, it's not offensive (seeing a doctor for a non medical issue is part of the joke) - it's just a way of saying, I don't think you thought that thru, would you care to explain it further.

I am also incredibly extremely busy, especially right now, but mainly over the last 4 months (which is not anyone's fault, just laying some background), and part of my work methodology is practicing a zero inbox. So when I get notifications, I like to deal with them and delete them. I also use the open issues in this repo as my ToDo list or reminders. When in the middle of a lot of work, I can often make quick replies, and throw the ball back in the other person's court - hence why I kept telling you guys to test it (rather than me doing it).

Been here for two years. Everyone should know that I never have any problems with anyone (except that one guy, you know who), and I often go the extra mile in working things out, or explaining things. Earthlng even recently told me off for trying to do to much.

So that said, it's up to you, individually, as to whether or not, you want to be part of this repo. Earthlng and I have had arguments in the past, and we get tetchy or frustrated with each other, but we know there's nothing personal in it. And likewise, I know everyone here is asking genuine questions, or contributing - that's what collaboration is. There are no stupid questions or statements, at worst, just misunderstanding. And no-one is right all of the time (sometimes I forget that bit).

just going to @crssi here in the hope he will see it. Apologies dude. You are welcome here, you have collaborator status, and you've been here from the start.

[crssi]

Noted. Next time I will tell you "STFU, grab a beer, get naked and run around appartment singing some songs. 😄" (<- in a good sense) ❤️

[atomGit]

@Kraxys - re: Change Timezone

i use a vpn and when i test at browserspy.dk it's detecting my TZ as GMT, which is not my real TZ, and this is without the add-on - why this is the case i don't know off-hand

be curious what your results are if you also use a vpn