gorhill
commented
9 years ago Even if you disable the matrix filter
How did you disable the matrix?
Open inDigazzZ opened 9 years ago
gorhill
commented
9 years ago Even if you disable the matrix filter
How did you disable the matrix?
inDigazzZ
commented
9 years ago 
inDigazzZ
commented
9 years ago Problem was In Chrome and Opera, but now there's no problem in Chrome Canary 39.0.2151.4. I can not say for sure since which version the problem disappeared.
gorhill
commented
9 years ago After you disabled the matrix, did you try to login directly from http://hh.kz/?nocookies? Often for that kind of problem you have to be sure you are logging on the original page before the error occurred, i.e. http://hh.kz/ in the current case.
In the current case, it appears the server redirected your login page to http://hh.kz/?nocookies, so you would have to go back to http://hh.kz/ and login from there.
inDigazzZ
commented
9 years ago directly from http://hh.kz/?nocookies and from http://hh.kz/ too. even if matrix disabled and type and go to http://hh.kz/ in new tab there's redirection to http://hh.kz/?nocookies
2014-09-10 18:45 GMT+05:00 Raymond Hill notifications@github.com:
After you disabled the matrix, did you try to login directly from http://hh.kz/?nocookies? Often for that kind of problem you have to be sure you are logging on the original page before the error occurred, i.e. http://hh.kz/ in the current case.
— Reply to this email directly or view it on GitHub https://github.com/gorhill/httpswitchboard/issues/410#issuecomment-55116636 .
... Ануар Шугаев
gorhill
commented
9 years ago even if matrix disabled and type and go to http://hh.kz/ in new tab there's redirection to http://hh.kz/?nocookies
Ok, then I suspect there is a redirect to something else than hh.kz in between. Try using a domain-level scope instead, i.e. *.hh.kz. This may fix the whole login problem that even disabling completely the matrix won't be necessary. I personally rarely use site-level scopes because of login problem like this.
inDigazzZ
commented
9 years ago If completely turning off blocking does not work, then how can help *.hh.kz? Tried - does not help.
2014-09-10 19:33 GMT+05:00 Raymond Hill notifications@github.com:
even if matrix disabled and type and go to http://hh.kz/ in new tab there's redirection to http://hh.kz/?nocookies
Ok, then I suspect there is a redirect to something else than hh.kz in between. Try using a domain-level scope instead, i.e. *.hh.kz. This may fix the whole login problem that even disabling completely the matrix won't be necessary. I personally rarely use site-level scopes because of login problem like this.
— Reply to this email directly or view it on GitHub https://github.com/gorhill/httpswitchboard/issues/410#issuecomment-55123740 .
... Ануар Шугаев
gorhill
commented
9 years ago If completely turning off blocking does not work, then how can help *.hh.kz?
You turned off for hh.kz, the on/off switch applies only to the current scope.
inDigazzZ
commented
9 years ago Doesn't work
2014-09-10 19:59 GMT+05:00 Raymond Hill notifications@github.com:
If completely turning off blocking does not work, then how can help *. hh.kz?
You turned off for hh.kz, the on/off switch applies only to the current scope.
— Reply to this email directly or view it on GitHub https://github.com/gorhill/httpswitchboard/issues/410#issuecomment-55128134 .
... Ануар Шугаев
gorhill
commented
9 years ago You have to look into the request log to find out what requests was blocked which the login process may need. There could be a redirect to an intermediate site, this will show up in the request log.
inDigazzZ
commented
9 years ago it was http://hhid.ru/ - i've turned off blocking and hh.kz stars work
but look at previous screenshot
there's hhid in list, but loaded only cookies not script which loads another source
2014-09-10 20:20 GMT+05:00 Raymond Hill notifications@github.com:
You have to look into the request log to find out what requests was blocked which the login process may need. There could be a redirect to an intermediate site, this will show up in the request log.
— Reply to this email directly or view it on GitHub https://github.com/gorhill/httpswitchboard/issues/410#issuecomment-55131281 .
... Ануар Шугаев
gorhill
commented
9 years ago Are you blocking behind-the-scene requests? I tried to login using random name/password just to see the flow of requests, and I can see that for whatever reasons, some requests ended up as behind-the-scene requests:
http://top-fwz1.mail.ru/tracker?js=13;id=310372;e=RT/unload;sid=08e06073;ids=310372;ver=60;_=0.3147901261691004
http://mc.yandex.ru/webvisor/2647417?rn=446347125&page-url=http%3A%2F%2Fhh.kz%2F&wmode=0&wv-type=0&wv-hit=788884724&wv-part=2&wv-check=3341&browser-info=z%3A-240%3Ai%3A20140910113349%3Arqnl%3A1%3Ast%3A1410363234why Opera and Chrome loading different sources?
there's no hhid in Chrome and and count of all sources is different
i've changed UA in Opera to Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2151.4 Safari/537.36
2014-09-10 20:31 GMT+05:00 Ануар Шугаев anuar.shugaev@gmail.com:
it was http://hhid.ru/ - i've turned off blocking and hh.kz stars work
but look at previous screenshot
there's hhid in list, but loaded only cookies not script which loads another source
2014-09-10 20:20 GMT+05:00 Raymond Hill notifications@github.com:
You have to look into the request log to find out what requests was blocked which the login process may need. There could be a redirect to an intermediate site, this will show up in the request log.
— Reply to this email directly or view it on GitHub https://github.com/gorhill/httpswitchboard/issues/410#issuecomment-55131281 .
... Ануар Шугаев
... Ануар Шугаев
inDigazzZ
commented
9 years ago Are you blocking behind-the-scene requests?
no - blocking is turned of
2014-09-10 20:42 GMT+05:00 Ануар Шугаев anuar.shugaev@gmail.com:
why Opera and Chrome loading different sources?
there's no hhid in Chrome and and count of all sources is different
i've changed UA in Opera to Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2151.4 Safari/537.36
2014-09-10 20:31 GMT+05:00 Ануар Шугаев anuar.shugaev@gmail.com:
it was http://hhid.ru/ - i've turned off blocking and hh.kz stars work
but look at previous screenshot
there's hhid in list, but loaded only cookies not script which loads another source
2014-09-10 20:20 GMT+05:00 Raymond Hill notifications@github.com:
You have to look into the request log to find out what requests was blocked which the login process may need. There could be a redirect to an intermediate site, this will show up in the request log.
— Reply to this email directly or view it on GitHub https://github.com/gorhill/httpswitchboard/issues/410#issuecomment-55131281 .
... Ануар Шугаев
... Ануар Шугаев
... Ануар Шугаев
gorhill
commented
9 years ago Ok I started a completely new browser session with only HTTPSB, and entering hh.kz in the address bar. Request log:
12:06:01 page <a> http://hh.kz/?nocookies
12:06:01 page <a> http://hhid.ru/hhid/validate/O7nqwjRzjS5M75CBpveprXSFgBc7;http;hh.kz;80;/
12:06:01 page <a> http://hhid.ru/validate/;http;hh.kz;80;/
12:06:01 page <a> http://hh.kz/So the request log in that case was the solution: when you type hh.kz in the address bar, what is really happening is that you are redirected to hhid.ru, which will apparently set session cookies, and then you are redirected back to hh.kz, which apparently needs the cookies from hhid.ru to be set.
I completely missed in your screenshot the empty hhid.ru: it's a telltale sign of a redirection.
So simply whitelisting only cookie for hhid.ru in hhid.ru scope is best security-wise. So import:
hh.kz%0A%09whitelist%0A%09%09cookie%20hh
.kz%0A%09%09stylesheet%20*%0A%09%09image
%20*%0A%09%09script%20*%0A%09%09xmlhttpr
equest%20*%0A%09%09cookie%20hhid.ru%0Ahh
id.ru%0A%09whitelist%0A%09%09cookie%20hh
id.ruIn the Recipes field of the "Scoped rules" tab.
Afterward, re-enable matrix filtering for hh.kz, given how much the page is bloated, this is best. From there, you should be able to whitelist only what is needed to login without having to disable completely matrix filtering.
Edit: I corrected the recipe above, we need to also allow cookie for hh.kz or else there is an infinite redirect loop. Don't forget to persist the two scopes.
inDigazzZ
commented
9 years ago Look above - I wrote about hhid. I'm using Opera and there hhid in list. And hhid is 'green' and it mean that all sources from hhid will be loaded. Why in Chrome hh.kz works without hhid in list? 10 сент. 2014 г. 21:13 пользователь "Raymond Hill" notifications@github.com написал:
Ok I started a completely new browser session with only HTTPSB, and entering hh.kz in the address bar. Request log:
12:06:01 page http://hh.kz/?nocookies 12:06:01 page http://hhid.ru/hhid/validate/O7nqwjRzjS5M75CBpveprXSFgBc7;http;hh.kz;80;/ 12:06:01 page http://hhid.ru/validate/;http;hh.kz;80;/ 12:06:01 page http://hh.kz/
So the request log in that case was the solution: when you type hh.kz in the address bar, what is really happening is that you are redirected to hhid.ru, which will apparently set session cookies, and then you are redirected back to hh.kz, which apparently needs the cookies from hh.kz to be set.
I completely missed in your screenshot the empty hhid.ru: it's a telltale sign of a redirection https://github.com/gorhill/httpswitchboard/wiki/URL-redirections.
So simple whitelisting only cookie for hhid.ru scope hhid.ru is best security-wise. So import:
hhid.ru%0A%09whitelist%0A%09%09cookie%20hhid.ru
In the Recipes field of the "Scoped rules" tab.
Afterward, re-enable matrix filtering for hh.kz, given how much the page is bloated, this is best. From there, you should be able to whitelist only what is needed to login without having to disable completely matrix filtering.
— Reply to this email directly or view it on GitHub https://github.com/gorhill/httpswitchboard/issues/410#issuecomment-55140096 .
gorhill
commented
9 years ago Why in Chrome hh.kz works without hhid in list?
If the session cookies from hhid.ru already exists when visiting hh.kz, there will be no redirections. I just checked that this is the case.
Edit: By the way, there was a typo in my recipe above, I fixed it.
inDigazzZ
commented
9 years ago Are you sure you're right?
i've just cleared browser data (all) in Chrome and in Opera.
Then i open hh.kz in Chrome and there NO redirection. I just open site - without trying to log in. And there's cookies from hhid.
Then i oper Opera and there is redirection. I just open site - without trying to log in. And there's cookies from hhid.
Rules in matrix same in Opera and in Chrome.
identical rules - different behavior.
2014-09-10 21:35 GMT+05:00 Raymond Hill notifications@github.com:
Why in Chrome hh.kz works without hhid in list?
If the session cookies from hhid.ru already exists when visiting hh.kz, there will be no redirections. I just checked that this is the case.
— Reply to this email directly or view it on GitHub https://github.com/gorhill/httpswitchboard/issues/410#issuecomment-55143356 .
... Ануар Шугаев
gorhill
commented
9 years ago Are you sure you're right?
Yes.
I've just cleared browser data (all) in Chrome and in Opera.
You need more than this, you need to restart HTTPSB. On my side, I have "Keep local data only until you quit your browser" selected. So when I leave the browser, all cookies are removed. Re-launch the browser, you will see the redirection.
Thing is HTTPSB doesn't reset the lists of hostnames when you reload a page. It remembers the hostnames for a given page a while after the page has been closed (10-20 minutes, I don't remember exactly). This is by design, to be sure that crucial information about what a web page tried to do won't be flushed down the drain after a mere page refresh.
inDigazzZ
commented
9 years ago Sorry, but you're not right. Cleared browser data and restart both browsers.
there's no redirection in Chrome.
I found the difference in the configuration file in Opera "statsFilters":{"show-allowed":false,"show-blocked":true,"show-cookie":true,"show-image":true,"show-main_frame":true,"show-object":true,"show-other":true,"show-script":true,"show-stylesheet":true,"show-sub_frame":true,"show-xmlhttprequest":true},"strictBlocking":true,"subframeColor":"#cc0000","subframeOpacity":100}
in Chrome "statsFilters":{},"strictBlocking":true,"subframeColor":"#cc0000","subframeOpacity":23}
i've found bug in rules - problem was in rules
in Chrome
hh.kz%0A%09whitelist%0A%09%09
*%20hh.kz%0A%09%09
*%20hh.ru%0A%09%09
*%20hhcdn.ru%0A%09%09
*%20hhid.ru%0A%09%09image%20
*%0A%09%09script%20ajax.googleapis.com%0A%09%09stylesheet%20
*%0A%09%09sub_frame%20hh.kz
%0A%09%09sub_frame%20hhcdn.ru
%0A%09blacklist%0A%09%09
*%20*%0A%09%09sub_frame%20*%0Ain Opera ()
hh.kz%0A%09whitelist%0A%09%09
**%20coub.com <http://20coub.com>%0A%09%09*
*%20hh.kz%0A%09%09
*%20hh.ru%0A%09%09
*%20hhcdn.ru%0A%09%09
*%20hhid.ru%0A%09%09image%20
*%0A%09%09script%20ajax.googleapis.com%0A%09%09stylesheet%20
**%0A%09%09sub_frame%20coub.com <http://20coub.com>*
%0A%09%09sub_frame%20hh.kz
%0A%09%09sub_frame%20hhcdn.ru
%0A%09blacklist%0A%09%09
*%20*%0A%09%09sub_frame%20*%0AI do not know how it happened, but if you remove all lines with coob.com, then everything starts to work fine - with no redirection.
Thanks for your time...
2014-09-10 22:19 GMT+05:00 Raymond Hill notifications@github.com:
Are you sure you're right?
Yes.
I've just cleared browser data (all) in Chrome and in Opera.
You need more than this, you need to restart HTTPSB. On my side, I have "Keep local data only until you quit your browser" selected. So when I leave the browser, all cookies are removed. Re-launch the browser, you will see the redirection.
Thing is HTTPSB doesn't reset the lists of hostnames when you reload a page. It remembers the hostnames for a given page a while after the page has been closed (10-20 minutes, I don't remember exactly). This is by design, to be sure that crucial information about what a web page tried to do won't be flushed down the drain after a mere page refresh.
— Reply to this email directly or view it on GitHub https://github.com/gorhill/httpswitchboard/issues/410#issuecomment-55149576 .
... Ануар Шугаев
inDigazzZ
commented
9 years ago NOOOOOOOOOOOO
Problems not in rules (( I don't know why, but Chrome works with no problems - clearing data/restarting. Opera works through time.
One deleted fata / restarted / imported prefs from Chrome - works fine. Another time deleted fata / restarted / imported prefs from Chrome - doesn't work
it seems like Opera is pretty buggy ((
2014-09-10 23:11 GMT+05:00 Ануар Шугаев anuar.shugaev@gmail.com:
Sorry, but you're not right. Cleared browser data and restart both browsers.
there's no redirection in Chrome.
I found the difference in the configuration file in Opera
"statsFilters":{"show-allowed":false,"show-blocked":true,"show-cookie":true,"show-image":true,"show-main_frame":true,"show-object":true,"show-other":true,"show-script":true,"show-stylesheet":true,"show-sub_frame":true,"show-xmlhttprequest":true},"strictBlocking":true,"subframeColor":"#cc0000","subframeOpacity":100}
in Chrome
"statsFilters":{},"strictBlocking":true,"subframeColor":"#cc0000","subframeOpacity":23}
i've found bug in rules - problem was in rules
in Chrome hh.kz%0A%09whitelist%0A%09%09
%20hh.kz%0A%09%09 %20hh.ru%0A%09%09 %20hhcdn.ru%0A%09%09 %20hhid.ru%0A%09%09image%20 *%0A%09%09script%20ajax.googleapis.com%0A%09%09stylesheet%20
_%0A%09%09sub_frame%20hh.kz %0A%09%09subframe%20hhcdn.ru %0A%09blacklist%0A%09%09 *%20%0A%09%09sub_frame%20*%0A
in Opera ()
hh.kz%0A%09whitelist%0A%09%09 %20coub.com http://20coub.com%0A%09%09 _%20hh.kz%0A%09%09 %20hh.ru%0A%09%09 %20hhcdn.ru%0A%09%09 %20hhid.ru%0A%09%09image%20 %0A%09%09script%20ajax.googleapis.com%0A%09%09stylesheet%20 _%0A%09%09sub_frame%20coub.com http://20coub.com %0A%09%09sub_frame%20hh.kz %0A%09%09subframe%20hhcdn.ru %0A%09blacklist%0A%09%09 %20_%0A%09%09sub_frame%20%0A
I do not know how it happened, but if you remove all lines with coob.com, then everything starts to work fine - with no redirection.
Thanks for your time...
2014-09-10 22:19 GMT+05:00 Raymond Hill notifications@github.com:
Are you sure you're right?
Yes.
I've just cleared browser data (all) in Chrome and in Opera.
You need more than this, you need to restart HTTPSB. On my side, I have "Keep local data only until you quit your browser" selected. So when I leave the browser, all cookies are removed. Re-launch the browser, you will see the redirection.
Thing is HTTPSB doesn't reset the lists of hostnames when you reload a page. It remembers the hostnames for a given page a while after the page has been closed (10-20 minutes, I don't remember exactly). This is by design, to be sure that crucial information about what a web page tried to do won't be flushed down the drain after a mere page refresh.
— Reply to this email directly or view it on GitHub https://github.com/gorhill/httpswitchboard/issues/410#issuecomment-55149576 .
... Ануар Шугаев
... Ануар Шугаев
gorhill
commented
9 years ago It seems like Opera is pretty buggy
No, I can systematically get the redirection with Chrome:
Leave the browser (be sure no instance left in memory). Launch the browser, open tab at http://hh.kz:
Repeat at will. Then change:
Leave the browser (be sure no instance left in memory). Launch the browser, open tab at http://hh.kz:
Even if you disable the matrix filter, then http://hh.kz redirects to http://hh.kz/?nocookies. If you disable the extension, then authorization starts to work.