sticky: extensions

[Thorin-Oakenpants]

:exclamation: please try to NOT start discussions in here, start a new issue instead. ONLY use this thread to report extensions - thank you

Use this issue for extension announcements: new, gone-to-sh*t, recommendations for adding or dropping in the wiki list 4.1: Extensions. Stick to privacy and security related items, and do not mention legacy extensions

:small_orange_diamond: Added Web Extensions

• ... go look on the Wiki page - not listing things twice

:small_orange_diamond: Pending Web Extensions

• Negotiator | GitHub
  • doesn't work (yet) full of bugs and errors - ask earthlng - worth revisiting
• Google search link fix | GitHub
  • google/yandex. Personally, I use a user script called "google privacy" which has been working for years - I should find a link for it, see if it's maintained, stick in the wiki for user scripts? -Thorin
• Searchonymous2 | GitHub
• Modify Header Value
• Referer Control
• eCleaner (Forget Button) | GitHub
  • NOTE: bulk clean per storage type: eg indexedDB, dom storage etc
  • NOTE: Is using wrong Storage API for settings??? Requires cookies in order to access local dom.
• mHeaderControl | GitHub
• Shape Shifter | GitHub
• EditThisCookie
• History AutoDelete
• FoxyProxy
  • Basic
  • Standard
• WebAPI Manager | GitHub
• Forget Me Not | GitHub
• Luminous | GitHub - JS Events handling
• 3P Request Blocker

:small_orange_diamond: Rejected ^{If you strongly disagree, then by all means, bring it up}

• Canvas Defender
  • nah - see https://github.com/ghacksuserjs/ghacks-user.js/issues/458
• VTzilla
  • shitty privacy policy, you have to opt-out of scanning everything, but could be handy for some people, as long as they are aware of the privacy implications

...

[claustromaniac]

A handy one for security was updated to WE three days ago: VTzilla. I only barely skimmed the source code, but the privacy policy is fine.

Default settings kinda suck though, since everything you download is sent to VirusTotal. I would only enable the option to ask to scan the file on VirusTotal before downloading, and only use it to scan executables that I don't mind the VirusTotal community getting their hands on.

I realise this probably doesn't belong in the wiki, since this doesn't bring anything new to the table (nothing other security solutions can't cover), no real hardening going on either, and even Firefox itself has its own built-in Safe Browsing for this purpose. I just wanted to let folks know.

[Thorin-Oakenpants]

^^ without having read it fully... so context menu: scans the file you point at on the server .. and THEN you can download it if you want after the VT result. Seems like a reasonable extension. But as you said, the default settings suck and I wouldn't want to promote it for that reason (because people are lazy and just blindly install things without reading). Maybe the dev(s) can be persuaded to change that

That said, I agree this probably outside our scope. Not my mandate to babysit people's DL and web habits

[claustromaniac]

Just to make clear why I still wanted to share it here (for anyone wondering):

I personally find VirusTotal, HybridAnalysis and similar services really useful because I normally prefer to tighten the security where data gets in, instead of continuously scanning memory and file system for malicious code (the latter being what resident antiviruses do). Why? The same reason I wash my hands often (I don't have OCD... not THAT often) instead of leaving everything to my immune system.

When you combine using these services with healthy practices and tools such as a decent firewall, keeping the whole system up to date, being cautious with what you plug in all your ports (and tweaking the system to disable autorun and such), and running in a virtual machine the shit you still just can't trust, then you don't need resident antiviruses. They become mostly just a waste of system resources.

It is probably not an optimal mindset for the average computer user (some of said practices require a fair bit of know-how, albeit nothing is really difficult), but I suspect I'm not the only one with that philosophy around here. :)

[crssi]

@claustromaniac nice one... Show 'Send to VirusTotal' prompt when downloading files and Pause downloads when sending to VirusTotal options doesn't seem to work (haven't tried much now, but maybe containers), otherwise unchecked all options, having just a short-cut from context menu is nice.

[Thorin-Oakenpants]

but I suspect I'm not the only one with that philosophy around here

I think among users here you would be in the majority. Any decent strategy would cover all layers/levels/architecture and have multiple fallbacks. As long as you're informed, you can do what you like based on your threat model / risk assessment.

Like you, I prefer to be proactive. AV is massively overrated IMO (although it's mandate has changed a lot over time). To me, it's something that comes too late. I'd rather plug all the holes that could let it get on my system in the first place. Not for everyone, but I actually don't even bother having AV at all, I feel that secure in my setup. In the 20 years or so I had an AV, I never once had anything except false positives.

The biggest problem in security is ... humans. People are inherently stupid, and you can't (usually) fix stupid. This is why OpSec is so hard to master/teach

[bberberov]

I tried Forget Me Not and it is not removing cookies in the current version. Waiting on Lusito/forget-me-not#59.

[crssi]

@bberberov Try C-AD. Is with C-AD the same problem? If it is, I might have one idea.

[Thorin-Oakenpants]

I'm not using any cleaning extensions (I just don't let anything get stored really) - might take a while for everything in that regard to mature due to FF web extension limitations etc - look at all the persistent storage types (cookies, localStorage, IDB, app cache, SW cache) and mix that with OA's (FPI & PBMode & Containers) and between all the combos, there are still issues.

[Joel889]

@bberberov Forget Me Not works if set up correctly. There is also a nice update coming soon that allows white-listing individual cookies (as opposed to keeping all from a domain).

I initially used C-AD, but stopped using it, because it doesn't clean Local Storage and Indexed DB well. The developer keeps saying it cannot be done, but somehow ForgetMeNot is able to clean everything. If you read through my posts, I've tested this extensively with both addons.

ForgetMeNot is also the closest addon to the defunct CookieCuller / CookieKeeper / CookieAutoDelete, with features that C-AD won't implement (I suggested it).

[crssi]

@Thorin-Oakenpants I know, you are a big girl who can take care of mostly all of the internet browsing shit and I do agree with you completely but only when we are talking about us... geeks. I do this stuff also for elder users, who does not undertand 1% of this shit storm and for them is essential that 99% stuff works without any user interactions.

Quite a lot pages elder people are using does not work when cookies are denied, specially 1st party. There are a few that doesn't work if 3rd party cookies are denied (for example vimeo embedded video), funny is that those are still working when you just accept 3rd party cookie and do a outgoing deny with uM,

So what I do: FF accept all cookies... dealing with C-AD for first party and deny all 3rd party with uM. What I have found out that C-AD does not work as intended when uM->Settings->Privacy the option Delete blocked cookies is ticked/enabled. That is what I assumed @bberberov might have the problem.

@Joel889 in the past "Forget Me Not" didn't clean LS as well (this might changed lately, but I haven't keeping an eye on it... will give today another look). What does exaclty mean "if set up correctly"?

For sure there is another WE... "Temporary Containers" which is really great, but for real it has to polish some quirks to be really set and forget and I hope author will find some time to do those.

Cheers

[claustromaniac]

Show 'Send to VirusTotal' prompt when downloading files and Pause downloads when sending to VirusTotal options doesn't seem to work (haven't tried much now, but maybe containers)

True. I didn't test much either, but it could be just a bug. It is tagged as experimental, after all.

AV is massively overrated IMO

I mostly agree with you. If you're ahead enough in the learning curve you can perfectly ditch AV entirely, in that sense AV is overrated. Not to mention that hash-based detection is very easy to fool, and heuristics has many pitfalls.

I still think they're necessary (and good) tools because not everyone can afford the time (or brains) to learn what's needed to feel that safe without one. Besides, there is a learning curve (no one is born knowing shit), so even people with the time and brains to learn are better off using one while they learn.

Anyway, I better drop this before going off topic much more lol. Sorry about that.

By the way, I suggested the VTZilla devs to change the defaults. Let's see if that argument is good enough for them.

[bberberov]

@crssi I don't have Delete blocked cookies on.

@Joel889 I just went Quantum from being on ESR ahead of ESR changing at 60. I used CookieKeeper etc. I didn't use to keep cookies, but they I started using Bugzillas more, and it's very convenient to configure the view once and have it persist, even when not logged in. I think that's a sensible use case that I shouldn't have to give up on. There are others.

@Thorin-Oakenpants I'm not a dev, but I looked at some of the WE API, and there does not seem to be a lot to work with there. I can see now why devs are not porting extensions and functionality is lost.

[Thorin-Oakenpants]

@bberberov I didn't mean it that it is worse now than it was before.

I have never used a cleaning extension, so I'm not 100% sure - and due to my lack of allowing 99.9% of persistent data in the past, I have no anecdotal evidence (eg until FF56 IDB was disabled, until 59 appcache was disabled, until 60 workers were disabled - cookies remain so - I've never seen an IDB entry in my life!) ... but I believe with IDB that there has NEVER been the ability for sanitizing it by host or time range. Also FPI (FF51) & cookies are an issue (fixed in 58). So currently ESR52 users with FPI have issues (i.e I think even legacy extensions can't handle OA's). If anything, the new Web Extensions API will allow all of this to be properly sorted out once and for all

[ke-d]

@Joel889

I initially used C-AD, but stopped using it, because it doesn't clean Local Storage and Indexed DB well. The developer keeps saying it cannot be done, but somehow ForgetMeNot is able to clean everything. If you read through my posts, I've tested this extensively with both addons.

CAD already clears localstorage if you enable the setting.

As for as I know, there's no API to clear IndexedDB per individual site. Right now, you can clear IndexedDB for every site as well as various other data from the browsingData API. I could implement it with all those other data but it would be copying every other simple cleaning extensions that do the exact same thing. One example

I rather use APIs that can take advantage of individual site cleaning rather than an all or nothing approach (since you can just use various other simple cleaning extensions that are easy to make or use the Clear history when Firefox closes option).

[crssi]

@Joel889 Forget Me Not does not clean IndexedDB (only manually for all sites as @mrdokenny say) and for cookies it work very unreliable, where CAD does the job very good. CAD wins over FMN big time.

[bberberov]

@Thorin-Oakenpants This is slightly off topic, but in your opinion, can Places be re-implemented as a Web Extension? Is there enough access through the API to record the same complete history and a storage capability to keep a bookmark hierarchy? I looked a little at the documentation, but I'm new at this.

[Thorin-Oakenpants]

@bberberov I am not an extension developer, so I have no idea. There should be storage capacity for web extensions (eg IDB) but size limits may play a factor. I'm not sure why you would want to reinvent the wheel - eg FF already collects all this info - is it for display purposes? Maybe an extension can hook into places.sqlite and display/search it in a shiny new interface. I seem to remember a legacy extension or trial (but may be confused with the browser involved) that showed (based on history) things like frequency of visits, number of visits, etc with little graphs and stuff on a dashboard.

[bberberov]

@Thorin-Oakenpants Annotations are going away, which includes descriptions: https://bugzilla.mozilla.org/show_bug.cgi?id=1460577 The WE API for bookmarks is limited. There are new regressions in bookmark handling in 59/60 vs. 52. I'm looking for a solution to these issues.

[forteller]

No one has said anything about my comment above. IMO it's a very important privacy extension, so let me quote myself:

I would like to recommend adding the extension Redirect AMP to HTML. Google is trying to gather as much information about everyones browsing habits as possible, and to eat up as many web services as possible. Now they've gone so far as to host other peoples content for them. This is very destructive to the web, and your privacy. Read more about it here: https://danielmiessler.com/blog/google-amp-not-good-thing/

This extension redirects you away from AMP, so you don't use it yourself and don't link others to it when sharing the link. It's very important to send the message to newspapers and everyone that we don't want Google to own the web, we don't want AMP.

Thanks!

[Thorin-Oakenpants]

^^ not forgotten .. here's my inbox (somewhat sanitized!)

The top line just came in. I still have, marked as unread (but I read it) the one from 3 months ago yet to action. That is, it's still actionable because I haven't written it off, so to speak. I agree it's important to stop this BS, but at the same time, this repo is predominantly about desktop - as in I do not wish to end up dealing with Android BS if I can help it.

That said, what does everyone else think? It's definitely a privacy issue, but does it really give any added privacy on Android? Note: I haven't looked at the actual extension. Maybe start a new issue, IDK.

[earthlng]

@forteller thanks for mentioning it again, I totally missed your original comment.

AMP sounds absolutely appalling but what else can you expect from Google. I completely agree with everything written in your linked article. Thanks for the link

This extension redirects you away from AMP

unfortunately only after you visit the AMP site because it has to get the non-AMP link from the source code. Still useful when you bookmark a site though, for example.

and don't link others to it when sharing the link.

this is probably the main reason to use the extension. It's not just about mobile either, Pants.

---

github: https://github.com/da2x/amp2html

it's a single contentscript injected into all http(s) sites and runs at document-end. There are 3 parts to it:

• redirect away from AMP sites
• modify links on news.google.*
• modify links on google search

I never use anything google and don't share a lot of links so I don't have much use for the extension but if it can help that potentially fewer people link me or anyone else to AMP and thus google servers, I'm all for recommending it. Anything we can do to fight back against the evil G gets a :+1: from me

[Joel889]

@mrdokenny

CAD already clears localstorage if you enable the setting.

Not always as confirmed here: https://github.com/Cookie-AutoDelete/Cookie-AutoDelete/issues/355

Both localstorage values (https://html5demos.com/storage/) disappear automatically in ForgetMeNot, but one of the values remain in C-AD.

Yes, IndexDB cannot be cleaned on a per site basis, but having an on demand button beats having to close the browser in order to clear it.

[2glops]

Good news for SSleuth (the only legacy extension I missed) : github.com/sibiantony/ssleuth/issues/78

[claustromaniac]

Quoting myself:

I suggested the VTZilla devs to change the defaults. Let's see if that argument is good enough for them.

Welp, it clearly wasn't. They changed its privacy policy instead :man_facepalming:. More precisely, they outright removed the one that was on AMO and lumped the bits relevant to the extension with the general VT privacy policy. Not only that, but they also added a new opt-out exclusively for collecting information.

Moreover, quoting the relevant part of the policy:

Existing users of a VirusTotal extension will need to opt-in to share pDNS data with the Community. Users downloading the VT extension for the first time may opt-out of this collection in the extension’s settings.

...the funny thing is that's not even true. Existing users have to opt-out too. This move has EvilCorp written all over it. I very much doubt something like this would've happened back when VT was not owned by EvilCorp.

I guess I'll go back to bookmarking VT and manually scanning files when I want to. I don't want to trust them and I don't wan't to dissect the extension on every update just to see if I keep it or not. Not worth my time.

:jeans:, feel free to move this one under Rejected in the OP, if you want.

EDIT: I updated my review on AMO.

[crssi]

^^ But you can still uncheck all and have a nice shortcut with context menu to virus scan on demand.

[claustromaniac]

@crssi sure, I can do that, but did you see what the policy looks like now? They don't make very clear what parts of the policy apply to using the extension and what parts don't. The policy on AMO used to be very specific in that regard. The way it looks now, they could push an update any day adding data collection under the hood and I won't be sure they aren't doing that unless I keep looking at the source code.

I just don't want to trust them, and I don't want to invest that kind of time just for a context menu entry. Even writing my own extension for that would be a far better option than revisiting the source code every now and then lol.

[Atavic]

Virus Total's good for Google to collect info, while the protection/warning issued don't cover 100% the VT user. Malware creators use different services that are similar to VT but do not share (at least not openly) the results of file scanning.

I'd use Kaspersky instead, while keeping in mind that you're covered on 90% of online malware.

[ghost]

Blend In? https://addons.mozilla.org/en-US/firefox/addon/blend-in/

This is the only user agent spoofer I found that passes platform and oscpu at https://browserleaks.com/javascript. I don't know if the fact that there's only one setting is desirable, though.

Edit: I'm sorry. I just realized that you don't recommend ua spoofing add-ons.

[Thorin-Oakenpants]

^^ Thats OK. It's interesting from a technical perspective. Just been reading about it - https://github.com/haqer1 is the owner so we could always @ him/her. I was surprised to see of the few reviews that they go back 7 years! 1000 users. Never heard of this before. I'm semi-impressed by the buildIDs to be honest. Interested to know how/who/what maintains the various spoofs, but its a nice touch that its plausible.

A decent UA spoofer could be handy, if used in moderation. AFAIK, an extension can override RFP's spoofing (since the extension is the last one to modify the header etc?) - so I can see edge cases where you might spoof as a different version. It kinda needs a global pref to spoof-or-not and then a white or black list. And it kinda needs to allow end users to define the UA.

Anyway, end of the day, you cannot truly hide your OS, but you can probably fool most sites/FP tests - since they don't (yet) get really down and dirty. So IDK, a OS+version spoofer seems fairly unimportant except to unbreak sites, not as a mechanism to defeat FP'ng.

[Thorin-Oakenpants]

^^ Since the RFP spoof doesn't spoof the OS (except to 4 platforms), this means Linux tends to stand out. And since "advanced" users (think uMatrix, uBO etc in hardened mode) can really limit exposure, this could a handy tool (i.e a decent UA spoofer) to handle the case of OS/platform spoof

https://hardware.metrics.mozilla.com/ - Win 7 43%, Win 10 38% ... Linux 2.7%

[Atavic]

Containerise on AMO automatically opens websites in a container.

[curiosity-seeker]

Blend In? https://addons.mozilla.org/en-US/firefox/addon/blend-in/

This is the only user agent spoofer I found that passes platform and oscpu at https://browserleaks.com/javascript.

Yes, but it's still not perfect: on http://ip-check.info/?lang=en the User-Agent is reported as Windows NT 6.1 and the Browser Type as Mozilla 5.0 (Windows). However, the System is (correctly) reported as Linux. So this confirms Pants' remarks: you cannot reliably hide your OS.

[crssi]

@Atavic it looks Containerise is better alternative to Multi-Account Containers, for example permanent containers created within is not deleted by TC... at least from what I see.

[curiosity-seeker]

@crssi

it looks Containerise is better alternative to Multi-Account Containers, for example permanent containers created within is not deleted by TC

I've never seen this on my system. Permanent containers in MAC have never collided with TC so far.

[curiosity-seeker]

If permanent container is created in FF settings then not, but if they are created over MAC, then after TC cleansing those are gone

Well, not here. I always create them in MAC.

[curiosity-seeker]

So am I.

[curiosity-seeker]

No, I haven't tried that yet. I'm afraid we're getting a bit OT here ;-)

[KevinRoebert]

Hello. I just wanted to say that ClearURLs moved to GitLab. The repository can now be accessed via the following link: https://gitlab.com/KevinRoebert/ClearUrls

[Thorin-Oakenpants]

@KevinRoebert Thanks. I've fixed our link. PS: in your readme (on github) notice you misspelled "Official" (missing the second i )

[Thorin-Oakenpants]

https://addons.mozilla.org/firefox/addon/universal-bypass/ - if anyone wants to check it out (excuse my ignorance on link shorteners) does this bypass giving away your browsing to the relevant parties (like the EvilCorp AMP bullshit)?

PS: I never click on shortened links anyway - f*ck em, but I'm intrigued, especially since we have an issue about AMP and also added a link to a remove_t.co user script in the wiki

[claustromaniac]

does this bypass giving away your browsing to the relevant parties

In short: yes.

AFAICT It's merely a convenience thing. It helps speed things up a bit, and it might help avoid unwanted side effects of clicking scripted buttons on those sites (like redirections and whatnot). The extension still needs you to allow scripts on most (if not all) of those URL shortening sites, though, so that last part might not be of much relevance anyway.

(like the EvilCorp AMP bullshit)

If you're refering to the Redirect AMP to HTML extension, I'd say that extension is just not meant to protect one's privacy in any way. It's a useful extension, just not privacy-wise.

EDIT: Got my confirmation. https://github.com/da2x/amp2html/issues/7

[claustromaniac]

I never click on shortened links anyway

Going a little OT: you might want to add those domains to your uBO filters, just in case. Before checking out that extension I wasn't even aware there were that many link-shortening sites out there...

[Thorin-Oakenpants]

(like the EvilCorp AMP bullshit)

If you're refering to the Redirect AMP to HTML extension

Nope. By bullshit, I mean 3rd parties sitting between me and the content... yet another asshole clipping the ticket

[claustromaniac]

I was going to make my own extension for this but I found one that looks good: Detect Cloudflare | GitHub

I was a little bit surprised when I found the Block Cloudflare MITM extension is not listed here. Should I have posted this in #310 instead?

I also found Claire, but I like the visibility of Detect Cloudflare and the fact that it lists all third party domains that go through Cloudflare as well.

[Thorin-Oakenpants]

detect cloudflare .. so 50% of sites I visit and growing - I think it's a losing battle TBH. Block Cloudflare is too extreme IMO - i think i've covered this before, but you can just block cloudflare in uM (right?, or is it not apparent and gets loaded via a redirect or something? sorry for using the correct technical terms for shit).

Claire looks kinda cool - shows HTTP2 and IPv6. Maybe we should discuss all this in a new topic

[Thorin-Oakenpants]

since we block HTTP2 and will do so for IPv6 (and NFI what a ray thingy is) .. I kinda like Detect Cloudflare especially the distinction tween orange and red

[claustromaniac]

I think it's a losing battle TBH. Block Cloudflare is too extreme IMO

I agree. Blocking is not for everyone. Not for many, even.

you can just block cloudflare in uM (right?, or is it not apparent and gets loaded via a redirect or something?

CF in the broadest sense is a CDN. It offers part of its services by delivering content as a third party (Decentraleyes covers some or all of these), and that part can be blocked with uM, uBO, etc. The worrying part from a security/privacy perspective is their service as a reverse proxy. That's what people refer to when they say CF is MITM'ing users. CF sits between the server and you, and some or all HTTPS traffic gets decrypted and re-encrypted along the way without your consent (but with the server's consent, since they are the ones using CF).

CF uses a number of custom headers, including the CF-Ray header, that can be used to detect its presence as a reverse proxy. That's what these extensions do.

I generally don't give a shit about CF because I don't use most websites I visit for personal stuff, but sometimes I want to know if CF is routing the traffic or not. Sure, I could just check the headers myself, but that gets tedious pretty fast. The extension not only saves me that trouble, but also serves as a constant reminder that I shouldn't blindly trust the padlock next to the URL.

[Thorin-Oakenpants]

Am thinking we should add Bitwarden to the wiki - personally, I plan on wiping all my FF saved passwords and disabling it, and using Bitwarden instead. Haven't really looked at the whole thing, but FF's encryption of passwords isn't meant to be the greatest (but I do not consider my PC to be under any threat). No other password manager extension comes close to BW, right? Anyone got any opinions?

might need to retire this issue and start a clean new one, and review what's been covered in the hundred comments

[curiosity-seeker]

No other password manager extension comes close to BW, right?

Hm. There have been several concerns (example) about the security of LastPass. What makes you sure that Bitworden does it better?

[Thorin-Oakenpants]

My understanding is that the data is encrypted locally and no-one but you can decrypt it, so the cloud versions for syncing cannot be compromised. Maybe I need to actually read up on the exact features. Plus it's open source AFAIK

Edit:

• https://github.com/bitwarden/
• https://addons.mozilla.org/firefox/addon/bitwarden-password-manager/

Bitwarden stores all of your logins in an encrypted vault that syncs across all of your devices. Since it's fully encrypted before it ever leaves your device, only you have access to your data. Not even the team at Bitwarden can read your data, even if we wanted to. Your data is sealed with AES-256 bit encryption, salted hashing, and PBKDF2 SHA-256.

Bitwarden is 100% open source software. The source code for Bitwarden is hosted on GitHub and everyone is free to review, audit, and contribute to the Bitwarden codebase.