Surrogate scripts

[ghost]

Noscript has an interesting feature which is not really covered in its documentation but presented in Giorgio Maone's blog: Surrogate Scripts. More details here.

In general, I think this feature is not as relevant in HTTPSB as in Noscript: Since HTTPSB supports domain- and site-level scopes, it's easy to selectively whitelist, e.g., google-analytics.com if it is really required to make a site work properly.

Nevertheless, a blog post by Wladimir Palant and a pointer by Maone to a thread in the Noscript forum where Maone uses those scripts to load local libraries, makes me wonder if such surrogate scripts are also useful for HTTPSB, particularly in regards to jquery which seems to be used by Google more and more often to track users. According to Palant loading scripts from a local source "is simpler to implement with Chrome APIs".

[gorhill]

I was pretty sure somebody entered this issue elsewhere, but can't find it (aside kitchen-sink issue #328).

On the surface it seems to be a simple redirect to locally cached resources. But this raises questions. I want the matrix to report exactly what a web site does, and if a script cell is green it means the server was hit with a request. Now the user will have to wonder if it was a request which was redirected to a local copy, or not, or a mixed of local and remote requests.

This gets complicated. And I know that we can always come up with, "show another color", but what on the user point of view looks like trivial, is not always so in the code, and adding complexity to the code is always something which I need to resist, or risk having the code base spin out of control. Anyways, just saying this needs to be thought through.

[ghost]

Yes, I understand that it is a complicated issue. But thanks for considering it.

[gorhill]

Any suggestions for what to show in the matrix when a green cell contains requests:

• All redirected locally
• Mix of local and remote

?

Say I decide to create a custom domain name for such redirected requests, then the matrix would kind of hide for what hostname the original request was intended (not good, important information become lost). One solution is a custom domain name based on the original hostname, which brings other issues: length of the name, probably add a lot of exception handling code a lot of places in the code.

The matrix is the "limiting" factor here..

What about another extension which purpose is strictly that, to redirect common remote resources to local copies? There is nothing wrong with the idea of having specialized extensions with a manageable code base, and which purposes are completely unhindered by other requirements.

[gorhill]

I feel like doing such an extension now, seems so simple. It really doesn't need to be part of HTTPSB, and anybody could benefit from it, no need to be an advanced users, while it's kind of required for HTTPSB. Advantages:

• Privacy
• Security (if one argue that the data in transit can be tampered with)
• Speed
• Saving bandwidth

[ghost]

Raymond, although I'm always tempted to say that I prefer an all-in-one solution where everything is approachable in one extension, I agree that in this case another extension makes really sense.