Provide visibility of exclusions from proxy on History tab and Sites tree

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Run ZAP 2.0.0
2. Create exclusions regexps for proxy, for example, for .css and .js files:
.*\.css$
.*\.js$
3. Start browsing a target web-app

What is the expected output? What do you see instead?

All requests for .css and .js files are excluded from proxy and they also do 
not appear on the History tab or Sites tree (or potentially other modules).

What version of the product are you using? On what operating system?

ZAP 2.0.0 under Windows 7 64 bits

Please provide any additional information below.

We need to find a way to be able to add exclusion lists through regular 
expressions via the "File - Properties" menu, for example for the proxy 
(Exclude from proxy), and while those matching request and responses are not 
intercepted (Break tab), they still might appear on the History tab or Sites 
tree (or potentially other modules).

The default and current behavior is not to show them at all. However, I think 
it would be more useful to see them taking place (although not intercepting 
them) in order to inspect them afterwards, if required.

We can implement this multiple ways: as the default behavior, using a new 
Properties exclusion config check-box to decide if they should or not appear in 
any module, adding new options to the "View" menu (such as "Enable exclusions 
in History") or through new settings via the History filters.

The same applies to images. The current behavior is an all or nothing 
proposition via the "View - Enable image in History" menu. When enabled not 
only they appear in History but get intercepted in the proxy (Break tab) if 
interception is enable. I suggest to decouple both, History (and others) 
visibility and proxy interception.

Original issue reported on code.google.com by raul.si...@gmail.com on 4 Apr 2013 at 7:31

[GoogleCodeExporter]

I think excluding regexes from the proxy should mean that matching URLs do not 
appear in the history or sites tree - thats what its for.

However I do think that having more display options in the History and Sites 
tabs is really useful.
So my suggestion is that we enhance the History Filter to support regex 
exclusions (but not inclusions).
That way you can choose to whether to filter out certain types of files. We 
could even replace the 'Enable image in History' with a filter option which 
matches standard image extensions.

And for the Sites tree we could introduce a toolbar similar to the History one 
- one that support the same filter options and the 'in scope' button.

Does that sound like a good alternative?

Original comment by psii...@gmail.com on 5 Apr 2013 at 8:29

[GoogleCodeExporter]

If the goal for exceptions is to completely hide them from all modules, then I 
agree to keep them that way and then add new display filters similar to the 
current ones for images to History and Sites (slightly improved, see below).

However I would improve them for both (images or other regexs): all traffic not 
excluded should be available since ZAP starts for all the modules (e.g. History 
and Sites). Depending on the filters, the traffic will be displayed or not, but 
available. If I'm not wrong, currently images can only be seen since the moment 
you enable to see them in History.

I agree the current "Enable image in History" could be integrated in this more 
generic regex-based display filtering mechanism and even allow the 
customization of the image extensions (.gif, .png. jpg,...).

Then we need to decide what the default will be for images (I vote for off, as 
right now) and for other regexs (.css, .js, .ico,...). And finally, a 
complementary thing is if that filtering display behavior should impact if the 
associated traffic is automatically intercepted (Break tab).

I see this as two different things (although curently for images is the same 
thing: History display == Break tab interception), so having independent 
options to decide if you want to just display (or not) the traffic in History 
(or Sites), and if you want to intercept it (Break tab) would be very useful. 
I'm aware we can create Break rules too, but I would provide a direct Break 
rule matching for these display filters.

Original comment by raul.si...@gmail.com on 5 Apr 2013 at 8:53

[GoogleCodeExporter]

Please check out the new feature for GlobalExcludeURL in the Options menu.  
This allows you to specify multiple regexs that are automatically ignored by 
the Proxy, Break, Spider, and Scanner.  The regexs persist outside of the 
session - they are completely ignored and saved between boot-ups of ZAP.  The 
URLs will still appear in the History tab.  I think this meets most of what 
you're requesting.

Please look at the daily or weekly builds after Feb 25, this was added in SVN 
commit 4333. 

Original comment by veggiespam on 25 Feb 2014 at 3:24