css hide rules created for HTTPS sides do not work for LAN users about adblock2privoxy HOT 6 CLOSED

It is possible to differentiate traffic which comes directly from browsers which always will be HTTP and one one that comes from HTTPS proxy where it is additionally tagged. In my case it is client-header-tagger{tagger4https} than perhaps rules could be changed for them and in case of SSL traffic that should be directed to different port at which the same content gets server just over https?

I use following in privoxy for SSL sites filtering

proxhttpsproxy.action

{ +client-header-tagger{tagger4https} }
/
{ +forward-override{forward 127.0.0.1:8081} }
TAG:.*?ProxHTTPSProxyMII

proxhttpsproxy.filter

CLIENT-HEADER-TAGGER: tagger4https
s@^.*Tagged:.*ProxHTTPSProxyMII.*FrontProxy.*$@$0@i

from adblock2privoxy.

As workaround for this problem in Firefox one may set security.mixed_content.block_active_content to false which would allow http content to be served on https sites.

Few things to keep in mind while using this workaround:

• ssl icon in the browser would no longer show connection as secure
• Firefox ESR 52.8.0 does not work probably due to bug while Firefox 60 does
• while it works for most SSL sites still there are those as filmweb.pl or wpolityce.pl for which config.privoxy.org does show element hiding is used, but no information about css file is send to the browser from privoxy for browser to download

Chrome also requires intervention for mixed content to be loaded by the browser. Starting application with google-chrome --allow-running-insecure-content is required.

Opera has own options as well http://help.opera.com/Windows/12.10/en/contentblock.html

from adblock2privoxy.

It turns out some sites require more intervention as they establish their own Content Security Policy. In Firefox one needs to set security.csp.enable to false. However turning off all those security policies is never a good idea, therefore fix to script which would direct inquires for local css files to https sites for https content is even more important.

from adblock2privoxy.

I’m going to declare that TLS interception is beyond the scope of this a repo because of the inherit security risks and because robust configuration and testing is a time-consuming PITA.

If anyone wishes to fork the repo and get this working and tested themselves, I’ll consider a PR in the future.

from adblock2privoxy.

Idea is rather simple. If link is tagged with +client-header-tagger{tagger4https} +filter{ab2p-elemhide-filter} than send it to CSS served over HTTPS

CLIENT-HEADER-TAGGER:tagger4https FILTER: ab2p-elemhide-filter
s@[^'"\s]\s*<head[^>]*>(?=\s*[^'"\s])@$&<link rel="stylesheet" type="text/css" href="https://192.168.101.101:8446/ab2p.common.css"></link><link rel="stylesheet" type="text/css" href="https://192.168.101.101:8446/$host/ab2p.css"></link>@iUD

Otherwise if client-header-tagger{tagger4https} is not specified than serve link to CSS over HTTP as usual.

FILTER: ab2p-elemhide-filter
s@[^'"\s]\s*<head[^>]*>(?=\s*[^'"\s])@$&<link rel="stylesheet" type="text/css" href="http://192.168.101.101:8445/ab2p.common.css"></link><link rel="stylesheet" type="text/css" href="http://192.168.101.101:8445/$host/ab2p.css"></link>@iUD

What is problematic is that privoxy manual does not say it allows double rule on the single line so probably it is not achievable so easily.

from adblock2privoxy.

OMG I do not believe it. It was so simple

FILTER: ab2p-elemhide-filter
s@[^'"\s]\s*<head[^>]*>(?=\s*[^'"\s])@$&<link rel="stylesheet" type="text/css" href="http://192.168.101.101:8445/ab2p.common.css"></link><link rel="stylesheet" type="text/css" href="http://192.168.101.101:8445/$host/ab2p.css"></l
s@[^'"\s]\s*<head[^>]*>(?=\s*[^'"\s])@$&<link rel="stylesheet" type="text/css" href="https://192.168.101.101:8446/ab2p.common.css"></link><link rel="stylesheet" type="text/css" href="https://192.168.101.101:8446/$host/ab2p.css"></link>@iUD

It turns out placing both under element hiding works in every scenario without any security tricks in browsers :) Would have to do some testing but I think reason HTTPS broke for HTTP sites is that other browsers did not have local website certificate accepted as it is self signed therefore disregarded https link.
If that would be true than implementation in adlock2privoxy seems very simple. Adding new command line switch eg. -ssl which would for element hidding create https:// link instead of plain http://

from adblock2privoxy.