sticky: extensions

[Thorin-Oakenpants]

previous threads #492 #294 #211 #12

---

Use this issue for extension announcements: new, gone-to-sh*t, recommendations for adding or dropping in the wiki list 4.1: Extensions. Stick to privacy and security related items

:small_orange_diamond: possible additions

• Site Bleacher | GitHub

:small_orange_diamond: nah

[Just-me-ghacks]

Any thoughts on Trace by AbsoluteDouble?

P.S.: IMHO it's a perfect fit for the "nah" category.

[ghost]

Trace Firefox extension, IMHO, offers several of the features found on different extensions but doesn't really handle any of them correctly or at least as best as possible, as well as some others. Not yest anyway.

My feeling is that the developer's work scheme was to install practically all features right from the start, more or less elaborated (rather less) and progressively bring each of these components to maturity. My preference is rather to add new features only once those in place have been optimized, not before.

[crssi]

window.opener be gone can be removed from the list, its redundand with pref 2429 and this pref gives better protection

Add suggestions: HTTPZ | GitHub -> HTTPS by default does not work when using Temporary Containers Privacy-Oriented Origin Policy | GitHub

Here on are not a suggestion, bust just for your info: Context Plus | GitHub <- A nice TC companion Certainly Something (Certificate Viewer) | GitHub Cookie Quick Manager | GitHub Kimetrak | GitHub

[ghost]

Kimetrak: I can see this info in uBO's dropdown and logger (and in UM)

Indeed. I have in mind another interesting Firefox extension which will as well provide the list of all sites accessed once on a page but will moreover display the security status of these connections:

This is interesting because not provided by uBO.

SixIndicator on AMO and GitHub

[crssi]

About Kimetrac... I know you can see all that crap in uBO and uM and logger... but it caught my eye because: uBO and uM here is blocking a lot of crap, but if something go 3rd party, then I can see "filtered" in Kimetrac and it helps me see much faster and easier, if there is something new that uBO and uM didn't block and worth to investigate to tighten uBO personal list.

That is it, nothing further to discuss anyway, since I have put it in my post under the "section": Here on are not a suggestion, bust just for your info... so I don't care. :smile:

Cheers and :heart: you all :smile_cat:

[ghost]

I've discovered a Firefox (& Chrome) extension which seems to me so worthy that I'd appreciate your opinion about it: API-Killer-IndexedDB at its GitHub repository, available at Add-ons for Firefox.

What has always bothered me are sites laying data in my Firefox's profile storage/default folder, so called indexedDB. With this API-Killer-IndexedDB extension I can now avoid blocking cookie permission for sites such as youtube.com without having my indexedDB folder filled with unnecessary data (of course if cookie permission is session-only this data is removed on FF exit, yet I dislike sites laying on my computer what is not at all necessary).

Works great here. The developer has other extensions of which API-Killer-WebSocket and API-Killer-WebAssembly, all three in the scope of ghackuserjs concerns.

Any cons to argument?

[crssi]

@StanGets First and the only commit was done 5 hrs ago. That is a fast discovery... or you know the author?

[ghost]

@crssi I don't know the developer, I discovered the extension while reviewing AOM's updated extensions and immediately spotted API-Killer-IndexedDB because of the word killer associated to IndexedDB....

One thing is sure: it works. But as the developer notes it on his GitHub repository,

Kills HTML5' IndexedDB API, might break websites, if they do not have a localStorage/cookie fallback.

This is what I remain aware of but up to now, with cookies blocked and therefor indexedDB as well, I've encountered no problematic site.

I'm really enthusiastic about this extension but there may be cons, I'm no professional.

[ghost]

Thanks for correcting me, @Thorin-Oakenpants :

You will only clear IDB after a session if 1) PB mode or 2) you clear "offline website data" on close (or manually with time range everything) or 3) Temp Containers

Indeed I have set Firefox to clear "offline website data" on close. Wow, I had it all wrong, thanks agaiin.

PPS: I haven't looked, so feel free to inspect that these extensions don't use any CSP header injection

I'm afraid that's above my skills. I mentioned the extension because it solves my problems on websites where i'd like to have a cookie -- i.e. YouTube when a userscript aiming to block Autoplay does it by modifying the site's cookie -- but where allowing the cookie would have that site lay itself in my IDB ... but considering the best often includes drawbacks is why I ask here advice.

[ghost]

About the Mozilla Plugin Privacy Test Database,

Grrr .. why oh why did he call them plugins

Indeed! I know many people who still mistake add-ons with extensions with plugins ... Another interesting topic and dedicated article. More you dig more astonishing revelations appear. I'm bookmarking that page.

[ghost]

I kinda fail to see the point, esp if you use FPI.

Yeah, you're absolutely right @Thorin-Oakenpants , and I do use FPI! I'll be frank, I'm overdoing it, not for sentimental reasons but basically for psychological ones, in other terms even if other settings do the job I insist on extras even if they appear to not at all be implied in enhanced privacy for the sole reason of a non-rational principle : I don' t like sites writing to my device unless I've authorized them to. But you are right, it is not necessary. Maybe am I getting obsessed? LOL

[ghost]

I hear ya, brother! Still, it better than being possessed

Beware, @Thorin-Oakenpants , you're pushing me to my natural behavior of being talkative on an off-topic : being obsessed versus being possessed. I can make 200 lines on that! Two should be enough? OK :

As always the right point is the balanced one. Here at ghacksuserjs this is obviously the approach and that's good. It's good and even required in scientific/technological areas but maybe always, even if feelings wouldn't always fit in a hyper-rational way of conducting our thoughts.

Being obsessed may be a form of being possessed, by ourselves, by our unconscious, by fears but also by domination : the point is not to dominate but to control. Self-control is known, self-domination would be an awkward advice!

Maybe not two lines, I needed a minimum of two paragraphs and still... I controlled myself, lol!

[ghost]

I received simultaneously your comment and bugzilla's via email notification. I'm happy the issue became a concern for Bugzilla to start with, but I had only submitted naively the remark of a non-techie concerning the cookie behavior not respected in some situations (as i felt it); from there on the developments which lead to what seems to be a true correction today (applicable in FF68) flies 40,000 feet above me. I'm a final release user so I'll have to wait for FF68 release to appreciate the work! It'll be then my moment of fame, people will say "if it hadn't been for Stangetz where would we be now with this issue?" and I"ll reply "Oh! you know, I just pointed out, lucky I was as players who play for the first time...".

There I go again. Tea was too strong :=)

[crssi]

@StanGets

I'm afraid that's above my skills.

Its actually simple to do. See the last line in the post https://github.com/ghacksuserjs/ghacks-user.js/issues/664#issue-420621480

1. Install extension CRX
2. Open https://addons.mozilla.org/firefox/addon/api-killer-indexeddb/
3. Click on yellow CRX icon on the right side of URL bar and then View source
4. Enter !content-security-policy into the search field (upper left corner). NOTE: ! means search all files.
5. If you get a hit, then most probably the extension is modifying the CSP (need to decipher code to be sure).

Cheers :)

[ghost]

@crssi thanks! Done and imputing!content-security-policy led to 0 hits.

But what I don't understand is the CRX extension being a requirement for checking CSP. Can't I just download an extension's xpi file, unzip it and search from there on? Second point is, how is searching for content-security-policy performed? Does CRX search for a specific term or specific code? Because if the query is only content-security-policy then I could as well search for it from the unzipped xpi ...

Anyway, thanks. This is not school, forget my wondering...

[crssi]

But what I don't understand is the CRX extension being a requirement for checking CSP.

No. Its not, but makes the whole process much much simpler. For sure you can just download and unzip, which CRX essentially is doing already for you. :wink: API for CSP is called over content-security-policy, so if not found then CSP does not get modified. If found, then you need to review the code in those lines.

Cheers

[Kraxys]

previous threads #492 #294 #211 #12

Use this issue for extension announcements: new, gone-to-sh*t, recommendations for adding or dropping in the wiki list 4.1: Extensions. Stick to privacy and security related items

small_orange_diamond possible additions

* [Site Bleacher](https://addons.mozilla.org/en-US/firefox/addon/site-bleacher/) | [GitHub](https://github.com/wooque/site-bleacher)

small_orange_diamond nah

I find Site Bleacher interesting because it seems to handle IndexedDB in a more clever way than other comparable addons. For what I have seen, the IndexedDB a site has put in my browser, while remaining after closing my tab, is cleared as soon as I'm visiting this site again. This seems to me to be the most efficient way to handle IDB, given the API limitation.

[ghost]

Edit: oops, my bad.

[crssi]

^^ This extension doesn't touch CSP. Did you even check?

[atomGit]

@StanGets with regard to CRX asked...

Second point is, how is searching for content-security-policy performed?

in the CRX search input use: !content-security-policy the exclamation char prefix tells CRX to look at the content of the source files (default is file name) - i also use this to search for 'http' ( !http ) to look at URLs

[atomGit]

re: Site Bleacher - been using it for a while and, according to dev, it does not raise entropy (he's not injecting anything into IDB storage that website can read like i thought he may have been)

i just asked him if it handles Workers cache, but i'm pretty sure it don't

[ghost]

AFAICT all your api-killer stuff has been removed from AMO

The developer has removed all his API-Killers and all his other extensions except one, or these have been removed by Mozilla, no idea.

I had indeed mentioned the API-Killer-IndexedDB for the reasons evoked here above. The extension having been removed from AMO, and because I ignore for what reasons, I've removed it as well from my Firefox profile.

Because I continue to dislike sites pouring data in my IDB, I've found another way to block the IDB Web Api : WebAPI Blocker

I checked all occurrences of IDBxxx proveded by this WebAPI blocker and disabled all 14 of them, which are:

IDBCursor IDBCursorWithValue IDBDatabase IDBFactory IDBFileHandle IDBFileRequest IDBIndex IDBKeyRange IDBMutableFile IDBObjectStore IDBOpenDBRequest IDBRequest IDBTransaction IDBVersionChangeEvent

Works like a charm. Certainly not all 14 need to be disabled but until I check the ones strictly required i disable all. No issues at this time.

[atomGit]

so... i asked the Site Bleacher dev if he would have a go at cleaning the 'service workers' stuff and he did :)

in addition to cookies, local storage and IndexedDB, the extension also addresses service workers, cache storages, filesystems and webSQLs - i don't know exactly what's covered by the latter 3, so i asked him here if anyone cares to follow that and his answer was "Don't really know"

[jingofett]

Is there a downside to using Clean Links over the other link cleaners listed on the wiki?

https://addons.mozilla.org/en-US/firefox/addon/clean-links-webext/

Personally, I find this extension catches and cleans a lot more links than the alternatives (ClearURLs, Neat URL, Skip Redirect), but I remember back before webextensions, people having an issue with it.

I use it with the following settings:

[atomGit]

Is there a downside to using Clean Links ...

somebody more knowledgeable might chime in, but IMO CleanURLs is the best of the bunch because it covers more and breaks less (not sure i've ever had ClearURLs break anything) - it's been an install & forget ext. for me - no need to fiddle with white/black lists (doen't even have one)

some may not like it because it uses an external file (hosted on gitlab) but that's actually a plus in one way in that the dev doesn't have to update the ext. every time they need to change something

[jingofett]

Is there a downside to using Clean Links ...

somebody more knowledgeable might chime in, but IMO CleanURLs is the best of the bunch because it covers more and breaks less (not sure i've ever had ClearURLs break anything) - it's been an install & forget ext. for me - no need to fiddle with white/black lists (doen't even have one)

some may not like it because it uses an external file (hosted on gitlab) but that's actually a plus in one way in that the dev doesn't have to update the ext. every time they need to change something

When using the examples on this page to test: https://github.com/tumpio/requestcontrol/wiki/Testing-links

Clean Links successfully cleans most of them, except for the "no redirection, only parameters" group (except for example no.11) and no.14 in misc. ClearURLs cleans: no.2, no.6, no.7, no.8, no.11

Again, I'm not an expert on this but I'm just asking so I can get more information

edit: Just realized I referenced other issues on accident, I thought I had to select the issue when using the hashtag symbol. Sorry about that...

[atomGit]

i never actually tested CleanURLs, so i'm glad you did - given your findings, i'll have to reconsider Clean Links which is what i used before

[atomGit]

i made the mistake of writing CleanURLs instead of ClearURLs in this thread

anyway, i visited the test page you linked to and most of the samples are redirects ... ClearURLs is designed to remove tracking params, so i'm not sure if it's supposed to deal with redirects??? seems like it should be though

Skip Redirect caught all the redirect samples, but ClearURLs did not catch all of the "no redirection, only parameters" samples -- i'm not sure what to think, but maybe ClearURLs isn't the best solution - ima gonna chat with da dev n c whts up

[Atavic]

Repo here.

[crssi]

@jingofett

There was some problems with Clean Links way back, I do not remember anymore what and when.

ClearURL you cannot control and if something doesn't work the the only what you can do is to turn off filtering or disable extension. I do not like this extension due to lack of manual control. The second problem is that on some pages even disabling filtering does not help and you need to disable whole extension. Unfortunately I cannot report those problem, since those pages are "private" or "secure" matter. But for example some listings does not work, that is parts of web pages on Advanced Threat Protection configuration sites.

I use two extensions for those purposes:

1. Skip Redirect with blacklist.
2. Neat URL with Blocked Parametes and the following URL request types: font, image, imageset, main_frame, media, object, object_subrequest, script, stylesheet, sub_frame, websocket, xbl, xml_dtd, xmlhttprequest, xslt, other

Since you mentioned https://github.com/tumpio/requestcontrol/wiki/Testing-links test page, it passes all except 8, 13 and 14 and here is why: 8: Skipping Redirects as this sample leads to whole bunch of breakages on reddit. But you can remove reddit.com/ from Skip Redirect blacklist (if its there). In that case tumpio example no.8 will pass. 13: Generally removing sid parameter from URL will also lead to breakages, but you can add sid@mozillazine.org to Neat URL Blocked Parameters and tumpio example no.13 will pass.

14. Allmost same as 13 (someone would need and someone not), add dl@dropbox.com

[atomGit]

There was some problems with Clean Links way back, I do not remember anymore what and when.

i think it injected JS into pages - dunno if it still does

[atomGit]

Service Worker Control by jingyu9575

an interesting alternative to global blocking with uM which alerts the user about workers

Service Workers are website scripts that run in the background, to provide features such as offline experiences, push notifications and periodic background synchronizations. By default, Firefox allows websites to register Service Workers silently, and some websites register them for unclear or undesirable purposes. This extension detects the Service Workers registered on the pages, and allows the user to see their URL/scope or unregister them with an address bar button. You can restrict the Service Worker feature by enabling the "Require user consent for new Service Worker registrations" option. New Service Workers will not be in effect until you click "allow" under the address bar button.

[atomGit]

suggest a small edit to wiki 4.1 Extensions in order to clarify things

i realize there's "We are also not saying you have to use all these extensions." but i think more clarification would be good

for example, Neat URL and ClearURLs are both listed - i might suggest listing similar extensions like these as a sub-heading under "use only one" or something

same for Request Control and uBO/uM

window.opener be gone - add note: not needed if "Protect window API" is enabled in CanvasBlocker

would suggest adding HTTPZ? who doesn't like kitties!

[earthlng]

Thanks @atomGit

Neat URL and ClearURLs

I don't use either of those so IDK if they're mutually exclusive

Skip Redirect and Redirector

never used Skip Redirect but Redirector allows you to configure custom redirect rules whereas I believe Skip Redirect just does its thing automatically, doesn't it?

Request Control and uBO/uM

I use all 3 of these and don't see why this would need a "use only one" header or something like that. I guess it depends on what you want to use Request Control for.

Maybe someone who uses more of these than me can chime in here and explain the pros and cons and why one should or shouldn't use some or all of these pairs in combination

also pinging @Thorin-Oakenpants since he's the wiki master

[atomGit]

yes, Skip Redirect and Redirector should not have been lumped together - my mistake - i edited my comment to reflect that

[atomGit]

all foss, all on github...

FireMonkey - handles user scripts and CSS - apparently very privacy friendly (i know there are concerns with some other script add-ons) - dev appears to be active

Hermitation - toggles FPI per-domain (experimental) - 1 version released 6 months ago, so there's that

Service Worker Detector - interesting tool - not updated in the last year

Enforce Browser Fonts - toggle browser.display.use_document_fonts - what's interesting about this to me is that the dev is planning to incorporate a list so toggling is automatic by domain

[KOLANICH]

toggles FPI per-domain (experimental)

As it is said in the disclaimer, FPI is global and there are no guarantees.

per-tab FPI may be in scope of https://bugzilla.mozilla.org/show_bug.cgi?id=1553791

[atomGit]

Luminous: JavaScript events blocker

An extension to identify, analyze and block code execution and event collection through JavaScript in your browser.

it offers granular control over JS and can supplement other extensions, such as uBO, NS, etc.

[atomGit]

just an FYI regarding Site Bleacher (wasn't sure where best to post this)

those using ff v70 + Site Bleacher (other storage cleaners may be affected as well) may notice seemingly random crashes

the tl;dr fix is to set dom.storage.next_gen to false

the longer read is here... crashing Firefox v70 · Issue #11 · wooque/site-bleacher · GitHub

[atomGit]

dunno if this is useful (for wiki?), but i moved the uBlock O config stuff out of my Firefox config guides and consolidated it here...

uBlock Origin Suggested Settings

[Solomon1732]

Looks potentially useful. Definitely not a must. Maybe a nice-to-have. https://www.ghacks.net/2019/12/23/protect-your-tabs-in-firefox-with-dont-touch-my-tabs-relnoopener/

[RustyBurton]

Font Fingerprint Defender https://addons.mozilla.org/en-US/firefox/addon/font-fingerprint-defender/

Like CanvasBlocker randomize canvas fingerprints, this extension does the same for fonts. Every time when you refresh page there is a new value. Tested on https://browserleaks.com/fonts

[atomGit]

is font fingerprinting addressed by RFP?

Firefox 52: Better Font Fingerprinting Protection - gHacks

Security/Fingerprinting - MozillaWiki

[rusty-snake]

https://browserleaks.com/fonts seems to have no differences between RFP on and off.

[atomGit]

same here - i also tested and got the same ID - i closed the tab and disabled RFP and tested again because i thought maybe the FP would only change once you leave the domain, but alas, it didn't

[crssi]

^^ Interesting, since here I have tested right now and RFP enabled or disabled every reload same checksums when add-on is not active (disabled or not installed). But with add-on enabled (RFP enabled or disabled) then every reload different checksum... so it seems that it does the job.

[geeknik]

Indeed. They dropped the priority of Bundle and whitelist fonts when privacy.resistFingerprinting = true from P1 to P3 a couple of years ago and nothing has happened since. And whilst Block user-installed fonts by default is new, I wouldn't expect much. Mozilla laying off 70+ employees, including some, if not all, of their QA leads sure doesn't help the mission either.

[crssi]

There's just something about the dev and his other extensions that makes me scream inside

I couldn't express my feelings better.

[atomGit]

There's just something about the dev and his other extensions that makes me scream inside

why? his other extensions are largely privacy focused

what bothers me is that it's hosted on mybrowsedaddon.com - that said, i looked at the code for Font Fingerprint Defender and there's nothing in it that sets off alarms for me, however i'm not a qualified developer

[crssi]

I don't know, but this mybrowsedaddon.com is the thing and not using public git makes me fell un-trusty. But is just a feeling, not that I would know some facts, might be totally unfair.