sticky: extensions

[Thorin-Oakenpants]

:exclamation: DO NOT START DISCUSSIONS IN HERE, start a new issue instead. ONLY use this thread to report extensions - thank you

Use this issue for extension announcements: new, gone-to-sh*t, recommendations for adding or dropping in the wiki Extensions page. Stick to privacy and security related items, and do not mention legacy extensions

:small_orange_diamond: Added Web Extensions

• ... go look on the Wiki page - not listing things twice

:small_orange_diamond: Pending Web Extensions

• Negotiator | GitHub
  • doesn't work (yet) full of bugs and errors - ask earthlng - worth revisiting
• Google search link fix | GitHub
  • google/yandex. Personally, I use a user script called "google privacy" which has been working for years - I should find a link for it, see if it's maintained, stick in the wiki for user scripts? -Thorin
• Searchonymous2 | GitHub
• Modify Header Value
• Referer Control
• eCleaner (Forget Button) | GitHub
  • NOTE: bulk clean per storage type: eg indexedDB, dom storage etc
  • NOTE: Is using wrong Storage API for settings??? Requires cookies in order to access local dom.
• mHeaderControl | GitHub
• Shape Shifter | GitHub
• EditThisCookie
• History AutoDelete
• Canvas Defender
• FoxyProxy
  • Basic
  • Standard
• WebAPI Manager | GitHub

:small_orange_diamond: Rejected ^{If you strongly disagree, then by all means, bring it up}

• ... nada yet

...

[2glops]

uBlock Origin webext released (dev channel) on AMO https://github.com/gorhill/uBlock/releases/tag/1.13.9rc2

uMatrix webext released (dev channel) on AMO https://github.com/gorhill/uMatrix/releases/tag/1.0.1b6

[crssi]

For anyone using Self-Destructing Cookies or Cookie AutoDelete... the Cookies Exterminator still works as intended to delete cookies and storages as temporary solution until storage drama is resolved. See https://github.com/nylira/prism-break/issues/1796#issuecomment-323604265

[savyajha]

Decentraleyes has a webext beta out for nightly users only. https://addons.mozilla.org/firefox/addon/decentraleyes/versions/beta?page=1#version-2.0.0beta1

[savyajha]

Maybe make 2 lists for ESR and 57+? That of course, leaves the versions in between out in the cold, but not for too long. The guys in between can probably mix and match.

Also, violentmonkey on AMO is lagging behind what we have on the chrome store. That's not a dealbreaker, but if the situation continues I'd recommend Greasemonkey/Tampermonkey instead. I myself am a violentmonkey supporter, but I can't support being treated like a second class citizen.

[savyajha]

Re VM, GM, TM. Please leave politics out of it. Still quite some time for GM to port yet. I want GM (reasons), and do not ever want to suggest TM (reasons). Was only looking at VM as an alternative.

My intention wasn't being political here. Forgive me, I meant to say that if VM seems to not update on AMO as often as it does on Chrome, then it's not a good idea to have it because it might imply a lack of interest from the author towards FF. I have no opinion on VM vs TM vs GM apart from knowing that VM is the only opensource webext among them. :)

[ghost]

I hope I'm in the best thread to expose my experience concerning uB0 Webextension running on Waterfox 55.0.2 with a profile on a RAMDisk.

In fact it's less a uB0 problematic than a Webextension using IndexedDB to store data in the user's storage folder.

I'm running Waterfox 52.2.0 with my profile on a RAMDisk.

I was surprised that backing up my uB0 settings, uninstalling uB0 1.13.8 legacy add-on, installing then uB0 Webextension 1.14.0 and restoring my settings ... would indeed install uB0 but just wouldn't handle the data in dedicated uB0 subfolder in Storage folder : the only data stored were those of My filters and My rules.

I then installed a new Waterfox profile on hard-disk, installed uB0 WE and all was OK, includinf data in Storage folder.

I spent hours trying to understand what was wrong. It wasn't a user.js setting because further testings on the new hard disk profile worked OK with the same user.js file copied before installing uB0 WE. I tried removing one after another several of my 67 add-ons ... nothing would do it.

So here is the culprit: when the profile is on a RAMDisk the IndexedDB process doesn't handle data management in the Storage folder correctly.

I installed once again a new profile on hard disk, copy-pasted my RAMDisk profile, backed-up my uBO settings, removed uBO legacy add-on, installed uBO WE and all was fine.

1- If this is the wrong thread please move it to the correct place; 2- I'm sharing this experience not because Pants' user.js is concerned but because Firefox is the main concern here. 3- If you have any info about this Firefox IndexedDB / RAMDisk issue thanks for sharing. I've searched the Web and found nothing up to now. 4- My RAMDisk is Dataram RAMDisk 4.4.0 RC36 with a 200MB RAMDisk partitioned with NTFS.

Thanks.

[Atavic]

You can check this as maybe Dataram lacks the option to "Save contents to image".

[ghost]

@Atavic I use a 200MB image with Save Image at shutdown and Load Image at startup, that's not the problem. I've always had my Firefox profiles on the RAMDisk, now the Waterfox profile. All runs perfectly well. Sites which use the Storage folder do it correctly, it's only the IndexedDB process concerned managing a Webextensions data in the Storage folder which fails to do it right when the profile is on a (my, anyway) RAMDisk.

@Thorin-Oakenpants have a second look at the avatar, it's a vertical symmetry of that of Zymase's ... as my pseudo is his anagram! But the soul is the same. Zymase had closed his account and because that account was mine I opened a new one as a shade copy... NEW topic? But I remembered you didn't like people starting new topics when a dedicated one was more pertinent... anyway, Pants, please feel free to move my comment to a new topic then. Thanks

EDIT: I did think about asking Gorhill but seems to me this problematic is closer to general FF issues (hence here) than to uB0 specifics.

[siric]

• EditThisCookie
• History AutoDelete
• User Agent Switcher - Thorin : we do not condone UA meddling except via privacy.resistFingerprinting
• Canvas Defender

https://addons.mozilla.org/en-US/firefox/collections/siric/webextensions-privacy-security

[EchoDev]

FoxyProxy just made the switch to WE.

Basic version: https://addons.mozilla.org/firefox/addon/foxyproxy-basic Standard version: https://addons.mozilla.org/firefox/addon/foxyproxy-standard/

Login based SOCKS proxies don't seem to work (Probably a browser limitation atm). Also I'm not sure if DNS lookups are performed through the proxy, this might leak browsing info. I will try to contact the addon developer about this.

[earthlng]

I've wondered about this, ie FoxyProxy or similar - the way this works is that you can have certain domains run through different proxies, right? so what happens with the resources from 3rd party domains on those domains, do they get routed through the same proxy as the original domain or does every single request query FoxyProxy for the proxy to use?

[EchoDev]

Third party requests do not get routed through the proxy (if they don't match the rules). That's why I block third party requests in uMatrix on the sites I use the proxy on.

FoxyProxy used to have paid version which did detect third party requests and pushed them through the proxy but due to WE limitations support for that version has been dropped (for now, it might change in the future).

If you want third party requests going through the proxy, you need the third parties to be predictable (which is why I block the third party requests because it is all way too dynamic and you never know when a third party domain changes). You could also proxy all your traffic through 1 proxy but I'm not a fan of that. FoxyProxy + uMatrix to block third parties is the way to go for me.

[earthlng]

Thank you. A proxy-per-container solution would be nice

[Atavic]

Not separated by Containers (Yet):

• History
• Bookmarks

Source

[Atavic]

Maybe a webext that uses the VirusTotal Public API could be listed as optional?

• https://add0n.com/virus-checker.html or
• https://add0n.com/security-plus.html

[Gitoffthelawn]

You may want to check out CookiErazor. It's brand new.

https://addons.mozilla.org/firefox/addon/cookierazor/ https://github.com/Miraculix200/CookiErazor

[crssi]

^^will keep an eye on it, but at this point it does not clear local storage. guess we need to wait for mozilla to make those APIs working.

[Gitoffthelawn]

@crssi Do you know if containers keeps local storage separate for each container? What's a good website to test local storage containment?

[crssi]

@Gitoffthelawn Yes, from what I can see its separated and looks like each container has its own store. I wonder if there are APIs to create and destroy containers... you can guess where I am aiming too.

There is a page I use to test (don't mind the language). Main page: http://telekom.si The sub page that fills the storage's: http://www.telekom.si/zasebni-uporabniki/mobiteli-in-naprave/mobiteli#v-prodaji=da

So... you can go to main... and you will see nothing in storage's, then go to the sub page, which fills the storage. Close tab and open new one with a main page... you will see storage's with data still in. You can even change some data to something you will remember. ;)

@Thorin-Oakenpants which repo?

[Gitoffthelawn]

@crssi Thanks! Any pages that test local storage directly without having to check manually in devtools?

[crssi]

http://www.theburningmonk.com/demos/web storage/storage_demo.html https://www.w3schools.com/html/html5_webstorage.asp https://hacks.mozilla.org/2009/06/localstorage/

[Gitoffthelawn]

@crssi Thanks, especially for: http://www.theburningmonk.com/demos/web storage/storage_demo.html

[Thorin-Oakenpants]

@rekixex - see https://github.com/ghacksuserjs/ghacks-user.js/issues/249

[crssi]

I would like to suggest for Neat URL | GitHub It completely replaces now obsoleted extensions like Clean Links and Pure URL.

[EchoDev]

It is already in the wiki. See here: https://github.com/ghacksuserjs/ghacks-user.js/wiki/Appendix-B:-Extensions

[Jeronymo45]

Is there any sense from "Multi-Account Containers" extension if I use uBlock and uMatrix? They are already blocking the spying on the user. What is the use of it.

[2glops]

Decentraleyes is now a webextension Fully rewritten with new features

• [x] moved from legacy extensions to extensions now it's AMO landed - Thorin

[Thorin-Oakenpants]

^^ https://decentraleyes.org/test/ - pro tip: in NoScript you need to allow file:// ... I had that as default deny .. wonder if the old decentraleyes needed that? !! Oh well, now its working

[Gitoffthelawn]

Just released: WebAPI Manager https://addons.mozilla.org/firefox/addon/webapi-manager/ https://github.com/snyderp/web-api-manager

Allows very granular control over which APIs each site can use.

[Atavic]

How fares against ABE in NoScript?

[Thorin-Oakenpants]

^^ huh?

[Atavic]

It is similar to NoScript's ABE, which handles various INCLUSION types, See:https://github.com/ghacksuserjs/ghacks-user.js/issues/257#issuecomment-336295427

A few types are in common with the webapi-manager items: https://github.com/ghacksuserjs/ghacks-user.js/issues/258#issuecomment-337923230

[Thorin-Oakenpants]

This is already covered. I'm trying to work out WTF is fixing it for me. When I moved to ViolentMonkey I ditched all my scripts bar one (GoogleMonkeyR, which contains an option to strip tracking on links - I also ditched a script called Google Privacy which I had for years). I've disabled that and the tracking is still removed. I also disabled Neat URL and Skip Redirect and Request Control and I still get the following

I did a search for test and that's my mouse hovering over the item to show the link in the bottom left. I'm stumped a little as to why this is cleaned up for me

[EchoDev]

@Thorin-Oakenpants I think NoScript cleans Google seach results too.

[Thorin-Oakenpants]

I disabled every single extension, cleared everything, even closed and restarted - and I still get no tracking on google search links. Note: i am firing these pages from a custom google search engine which was just the default https google.com search landing page added via AddToSearch years ago - but this should not make a difference. I also have no FollowOn system addon.

Edit: In a brand new FF56 profile, I get no google tracking on url links

[Gitoffthelawn]

@Thorin-Oakenpants What's the "no FollowOn system addon"? Link?

Could that be it? Or are you saying you don't have it installed?

[Thorin-Oakenpants]

^^

I also have no FollowOn system addon

System Addons: see section 0500. Correct, I have only one system addon xpi and that is screenshots (which I don't even use but left in for testing)

[atomGit]

Self Destructing Cookies 0.1 WebExt by Dirty Little Helpers

hmmm... dot com domain that requires JS to view content; permissions include file downloads; no credit/mention of the original SDC; doesn't (yet?) do LocalStorage

[verlain3]

Cookie AutoDelete doesn't support LocalStorage yet according to the extensions wiki. My question is: Is this an issue even for someone who uses cookie behavior as 2 (deny all)?

[Thorin-Oakenpants]

^^ Depends on who's cookies you allow. E.g I allow around 7 cookies - 5 of which are for sites that I log into. These 5 sites are useless without logging in. I lose nothing really by keeping their cookies/local-persistent data, as I am already uniquely ID'd by them. The other 2 sites are for convenience - DDG and ArsTechnica so that the dark theme auto applies. Everything else if I allow a cookie is for session only, so all data is destroyed on close.

AFAIK clearing cookies on close (such as session only cookies) also removes the local storage, BUT if you use CAD to destroy the cookie but leave the local storage, then sucks to be you.

[verlain3]

I don't change anything cookie related from the default user.js available here, which has cookie behavior on deny all = 2 and on top of that i use the extension cookie controller.

I was looking to change it for CAD but i'm confused about the LocalStorage thing. I assume that even using deny all & clearing cookies on close it will still keep the local data.

[Thorin-Oakenpants]

You don't need to change it for CAD - CAD will still process any cookies you allow thru as exceptions. You do not need to allow ALL (1st party) cookies.

The user.js uses FPI (first party isolation) - cookie extensions cannot (yet, maybe by 59? 61? who knows) control cookies set with FPI, so it's pointless at this stage using one IMO. Note: extensions also cannot control PB mode cookies - so PB mode is pointless (almost) at this stage as well, IMO (use PB mode for one off windows).

Note: with FPI, everything is limited to 1st party, so even containers are pretty much obsolete. The only downside is that first party re-recognizing you. For sites you log in, not a big deal. For other sites you have options - eg I allow and keep DuckDuckGo and ArsTechnica - everything else is session only. AFAIK clearing the cookie clears the quota - someone correct me on this if I am wrong) . You can also use a one off PB window for sites - when all PB mode windows are closed, all data is removed - so you could use this to bypass your normal window's cookie behaviour (eg I could visit github in pb mode so I do not auto login). You can also use containers, as OA's concatenate (see #240 ) - i.e https://example.com^userContextId=1&firstPartyDomain=example.com - meaning a new separate instance of cookie+local+IDB etc

Because I allow sooooooooooooo little cookie exceptions, I have never had any IDB entries, but local storage I should really check out (since I do allow around 10 more for session only). The file I believe is storage.sqlite. We should test it with a site that sets local storage and see what happens when the cookie is session only, or when we manually clear cookies

tl;dr cookie extensions are useless right now: they cannot control local storage until FF58 and extension code updates (and removing the cookie may stop FF clearing the local storage) and with FPI and PB mode they do not work, period.

[Thorin-Oakenpants]

^ Edit: In a brand new FF56 profile, I get no google tracking on url links

bump! what gives? anyone else getting the same behaviour. Note: this is from the search bar using a sanitized search engine

[verlain3]

@Thorin-Oakenpants thanks for the detailed information. I will keep an eye on this matter on the further releases then. :)

[Gitoffthelawn]

@Thorin-Oakenpants Why are you using PB mode instead of containers?

[2glops]

HTTPS Everywhere is now a webext

[atomGit]

nice alternative to HTTPS Everywhere if anyone is interested

[Thorin-Oakenpants]

We went thru this smart https before (with Tom!). It is NOT smart in any way. The whitelisting approach breaks the model, the cache breaks the model (All websites that do not support HTTPS, are saved to memory), it also means persistent local data, and it hammering every single http site for https versions is ridiculous IMO. It also cannot handle complex rulesets - such as all those careful crafted by EFF.

[2glops]

Testing uBO-Scope: https://github.com/gorhill/uBO-Scope "A tool to measure over time your own exposure to third parties on the web"

[Gambit78]

greasemonkey 4.0 webext.