Seems to break Ubiquiti support login

[rmenessec]

Browser info

• Firefox Developer Edition 62.0b15 amd64 AND Chromium 70.0.3518.0 amd64 (Windows 10 1803)
• Privacy Possum 20180728

Problem report:

Unable to log into Ubiquiti's support site. Note that the password manager I'm using (KeePassXC 2.3.3 with matching browser extensions) as well as Chromium's password-saving heuristics report the URL as https://ubnt.zendesk.com/ rather than the displayed URL ( https://help.ubnt.com/hc/en-us ) in the browser bar.

In both cases, the login completes if Privacy Possum is disabled. No errors are thrown in Chromium's JS console; I haven't checked Firefox, yet, but the same problem persists in both browsers.

Note that Chromium's password heuristics don't offer to save the login credentials unless Privacy Possum is disabled, although the page does a partial reload (redraw?) either way, when credentials are input. Chromium exhibits an interesting page draw glitch on the reload / redraw if Privacy Possum is enabled; not sure if that has anything to do with the various toggles I've flipped in chrome://flags. Page draws correctly on reload / redraw with Privacy Possum disabled.

Would you consider adding site whitelisting at some point? This is the first issue I've ever had with Privacy Possum.

[cowlicks]

Hi @rmenessec thank you for the detailed report!

First, there is site whitelisting! But I think I've made the UI a little confusing. You "whitelist" a site by opening the popup, and click on the big on/off button on the top right. This disables privacy possum for a specific host, essentially whitelisting the host. I think some people mistake this an on/off button for the entire extension, which is understandable. I'm open to suggestions for how to improve this UI.

If this whitelisting does not work, please let me know.

As for this bug, I'm not sure what is going on here. I'll have to take a closer look. But I might not have time until early next week.

[rmenessec]

@cowlicks: Oh. Yes, that's exactly what I mistook it for. I guess I was expecting to see a whitelist function like Decentraleyes', since nothing else seemed to suggest a whitelist.

If you prefer a GUI option—I do—it might make sense to borrow the "rule creation" segment of Forget Me Not's UI, which allows one to see at a glance whether the current site is whitelisted, via both button color and the button's context menu; and which both preloads and prefills the rule creation UI if no rule matches the current site.

I'd also borrow Forget Me Not's button color scheme; the grey seems to imply that the extension is disabled / nonfunctional. That, or it might make sense to borrow the badge-with-counter appearance of uBO / Forget Me Not / many others.

Forget Me Not in particular uses a slightly outsize, 1px 3D border badge with white-on-blue, bold "W" for whitelisted and white-on-red, bold "F" for "forget." I suppose "E" for "enabled" and "D" for "disabled," in this case? Forget Me Not's button also does not change color to indicate rule status; only the badge does. I like it.

... While I'm thinking about it, I believe that only extensions like Decentraleyes—or like uBO, with its highly custom interface with adapted triggering for Android—work on Firefox for Android. It might be necessary to have a simple Decentraleyes-like UI in the Firefox Add-ons page as a backup to the desktop experience. I don't remember whether the Decentraleyes-type UI works on Firefox for Android any more; I know that Canvas Blocker has taken to emitting a full-page warning on every update, encouraging users to bookmark the add-ons / options page if they have not already done so.

I don't pretend to understand what Mozilla think they're doing for / to Android users by having a 90%-functional Android port. 😝