Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

css hide rules created for HTTPS sides do not work for LAN users #8

Closed
wmyrda opened this issue May 31, 2018 · 6 comments

Comments

Projects
None yet
2 participants
@wmyrda
Copy link

commented May 31, 2018

ab2p.system.filter contain following rule for element hiding.

cat ab2p.system.filter |grep http
s@.*\sHTTP\/1.*@$&\r\nX-Frame-Options: DENY@i
s@[^'"\s]\s*<head[^>]*>(?=\s*[^'"\s])@$&<link rel="stylesheet" type="text/css" href="http://192.168.101.101:8445/ab2p.common.css"></link><link rel="stylesheet" type="text/css" href="http://192.168.101.101:8445/$host/ab2p.css"></link>@iUD
s@[^'"\s]\s*<head[^>]*>(?=\s*[^'"\s])@$&<link rel="stylesheet" type="text/css" href="http://192.168.101.101:8445/debug/ab2p.common.css"></link><link rel="stylesheet" type="text/css" href="http://192.168.101.101:8445/$host.debug/ab2p.css"></link>@iUD

It works for HTTP sites but does not work for HTTPS sites which got decrypted by MITM for privoxy to filter. It is due to browsers not allowing mixed content for HTTPS sites for targets other than localhost.

I tried preparing local webserver in SSL and switching all 4 links to href="https://192.168.101.101:8445, but it seems not to work either as information about https content is not send to browser at all. It also seems to break regular HTTP sites.

@wmyrda

This comment has been minimized.

Copy link
Author

commented May 31, 2018

It is possible to differentiate traffic which comes directly from browsers which always will be HTTP and one one that comes from HTTPS proxy where it is additionally tagged. In my case it is client-header-tagger{tagger4https} than perhaps rules could be changed for them and in case of SSL traffic that should be directed to different port at which the same content gets server just over https?

I use following in privoxy for SSL sites filtering

proxhttpsproxy.action

{ +client-header-tagger{tagger4https} }
/
{ +forward-override{forward 127.0.0.1:8081} }
TAG:.*?ProxHTTPSProxyMII

proxhttpsproxy.filter

CLIENT-HEADER-TAGGER: tagger4https
s@^.*Tagged:.*ProxHTTPSProxyMII.*FrontProxy.*$@$0@i

@wmyrda wmyrda referenced this issue May 31, 2018

Closed

privoxy #579

@wmyrda

This comment has been minimized.

Copy link
Author

commented May 31, 2018

As workaround for this problem in Firefox one may set security.mixed_content.block_active_content to false which would allow http content to be served on https sites.

Few things to keep in mind while using this workaround:

  • ssl icon in the browser would no longer show connection as secure
  • Firefox ESR 52.8.0 does not work probably due to bug while Firefox 60 does
  • while it works for most SSL sites still there are those as filmweb.pl or wpolityce.pl for which config.privoxy.org does show element hiding is used, but no information about css file is send to the browser from privoxy for browser to download

Chrome also requires intervention for mixed content to be loaded by the browser. Starting application with google-chrome --allow-running-insecure-content is required.

Opera has own options as well http://help.opera.com/Windows/12.10/en/contentblock.html

@wmyrda

This comment has been minimized.

Copy link
Author

commented Jun 1, 2018

It turns out some sites require more intervention as they establish their own Content Security Policy. In Firefox one needs to set security.csp.enable to false. However turning off all those security policies is never a good idea, therefore fix to script which would direct inquires for local css files to https sites for https content is even more important.

@essandess

This comment has been minimized.

Copy link
Owner

commented Jun 14, 2018

I’m going to declare that TLS interception is beyond the scope of this a repo because of the inherit security risks and because robust configuration and testing is a time-consuming PITA.

If anyone wishes to fork the repo and get this working and tested themselves, I’ll consider a PR in the future.

@essandess essandess closed this Jun 14, 2018

@wmyrda

This comment has been minimized.

Copy link
Author

commented Jun 14, 2018

Idea is rather simple. If link is tagged with +client-header-tagger{tagger4https} +filter{ab2p-elemhide-filter} than send it to CSS served over HTTPS

CLIENT-HEADER-TAGGER:tagger4https FILTER: ab2p-elemhide-filter
s@[^'"\s]\s*<head[^>]*>(?=\s*[^'"\s])@$&<link rel="stylesheet" type="text/css" href="https://192.168.101.101:8446/ab2p.common.css"></link><link rel="stylesheet" type="text/css" href="https://192.168.101.101:8446/$host/ab2p.css"></link>@iUD

Otherwise if client-header-tagger{tagger4https} is not specified than serve link to CSS over HTTP as usual.

FILTER: ab2p-elemhide-filter
s@[^'"\s]\s*<head[^>]*>(?=\s*[^'"\s])@$&<link rel="stylesheet" type="text/css" href="http://192.168.101.101:8445/ab2p.common.css"></link><link rel="stylesheet" type="text/css" href="http://192.168.101.101:8445/$host/ab2p.css"></link>@iUD

What is problematic is that privoxy manual does not say it allows double rule on the single line so probably it is not achievable so easily.

@wmyrda

This comment has been minimized.

Copy link
Author

commented Jun 14, 2018

OMG I do not believe it. It was so simple

FILTER: ab2p-elemhide-filter
s@[^'"\s]\s*<head[^>]*>(?=\s*[^'"\s])@$&<link rel="stylesheet" type="text/css" href="http://192.168.101.101:8445/ab2p.common.css"></link><link rel="stylesheet" type="text/css" href="http://192.168.101.101:8445/$host/ab2p.css"></l
s@[^'"\s]\s*<head[^>]*>(?=\s*[^'"\s])@$&<link rel="stylesheet" type="text/css" href="https://192.168.101.101:8446/ab2p.common.css"></link><link rel="stylesheet" type="text/css" href="https://192.168.101.101:8446/$host/ab2p.css"></link>@iUD

It turns out placing both under element hiding works in every scenario without any security tricks in browsers :) Would have to do some testing but I think reason HTTPS broke for HTTP sites is that other browsers did not have local website certificate accepted as it is self signed therefore disregarded https link.
If that would be true than implementation in adlock2privoxy seems very simple. Adding new command line switch eg. -ssl which would for element hidding create https:// link instead of plain http://

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.