Post Reply 
Something like “decentraleyes” for Privoxy…
Apr. 03, 2019, 12:40 AM
Post: #23
RE: Something like “decentraleyes” for Privoxy…
Ahh... I don't think you understand.
You need to modify the Content Security Policy response header from yandex.
You do not need to add the header to 192.168.2.1

(Apr. 02, 2019 05:59 PM)vlad_s Wrote:  It can be seen that my added ip 192.168.2.1 appears somewhere, but the script does not load.

192.168.2.1 needs to be in the "script-src" section of the response header from the yandex server.

(Apr. 02, 2019 05:59 PM)vlad_s Wrote:  How does the browser know that something is wrong with 192.168.1, because it did not download the script from this link to find out the Content Security Policy header?

The Content Security Policy header belongs to the response from yandex.ru.
It tells the browser the addresses that it may access to create the page.

The script is not allowed because the address 192.168.2.1. is not allowed.


An example from the Proxomitron:
The sidki set uses files from https://local.ptron:8443 .
So, it adds "https://local.ptron:8443" for 'default-src', 'img-src', 'script-src', and 'style-src'.
This is the header that the set creates from the 'yandex.ru' response header:

Quote:Content-Security-Policy: connect-src 'self' wss://webasr.yandex.net
https://mc.webvisor.com https://mc.webvisor.org wss://push.yandex.ru wss://portal-xiva.yandex.net
https://yastatic.net https://home.yastatic.net https://yandex.ru https://*.yandex.ru
static.yandex.sx brotli.yastatic.net et.yastatic.net *.serving-sys.com an.yandex.ru
awaps.yandex.ru storage.mds.yandex.net music.yandex.ru music-browser.music.yandex.net
mc.admetrica.ru portal-xiva.yandex.net yastatic.net home.yastatic.net yandex.ru *.yandex.ru
*.yandex.net yandex.st; default-src https://local.ptron:8443 'unsafe-inline' 'self'
blob: wss://portal-xiva.yandex.net yastatic.net portal-xiva.yandex.net; font-src
'self' https://yastatic.net zen.yandex.ru static.yandex.sx brotli.yastatic.net et.yastatic.net
yabro1.zen-test.yandex.ru main.zdevx.yandex.ru yastatic.net; frame-src 'self' yabrowser:
data: https://ok.ru https://www.youtube.com https://player.video.yandex.net https://ya.ru
https://yastatic.net https://yandex.ru https://*.yandex.ru https://downloader.yandex.net
wfarm.yandex.net secure-ds.serving-sys.com yandexadexchange.net *.yandexadexchange.net
music.yandex.ru yastatic.net yandex.ru *.yandex.ru awaps.yandex.net *.cdn.yandex.net;
img-src https://local.ptron:8443 'unsafe-inline' 'self' data: https://yastatic.net
https://home.yastatic.net https://*.yandex.ru https://*.yandex.net https://*.tns-counter.ru
awaps.yandex.net *.yastatic.net gdeua.hit.gemius.pl pa.tns-ua.com mc.yandex.com mc.webvisor.com
mc.webvisor.org static.yandex.sx brotli.yastatic.net et.yastatic.net *.moatads.com
avatars.mds.yandex.net bs.serving-sys.com an.yandex.ru awaps.yandex.ru nissanhelioseurope.demdex.net
mc.admetrica.ru yastatic.net home.yastatic.net yandex.ru *.yandex.ru *.yandex.net
*.tns-counter.ru yandex.st; media-src 'self' blob: data: *.storage.yandex.net *.yandex.net
strm.yandex.ru strm.yandex.net *.strm.yandex.net *.cdn.yandex.net storage.mds.yandex.net
*.storage.mds.yandex.net yastatic.net kiks.yandex.ru; object-src 'self' *.yandex.net
music.yandex.ru strm.yandex.ru flashservice.adobe.com yastatic.net kiks.yandex.ru
awaps.yandex.net storage.mds.yandex.net; script-src https://local.ptron:8443 'unsafe-inline'
'self' 'unsafe-inline' 'unsafe-eval' blob: https://suburban-widget.rasp.yandex.ru
https://suburban-widget.rasp.yandex.net https://music.yandex.ru https://mc.yandex.fr
https://mc.webvisor.com https://yandex.fr https://mc.webvisor.org https://yastatic.net
https://home.yastatic.net https://mc.yandex.ru https://pass.yandex.ru zen.yandex.ru
an.yandex.ru api-maps.yandex.ru static.yandex.sx webasr.yandex.net brotli.yastatic.net
et.yastatic.net z.moatads.com bs.serving-sys.com secure-ds.serving-sys.com yabro1.zen-test.yandex.ru
main.zdevx.yandex.ru awaps.yandex.ru storage.mds.yandex.net yastatic.net home.yastatic.net
yandex.ru www.yandex.ru mc.yandex.ru suggest.yandex.ru clck.yandex.ru awaps.yandex.net;
style-src https://local.ptron:8443 'unsafe-inline' 'self' 'unsafe-inline' https://yastatic.net
https://home.yastatic.net zen.yandex.ru static.yandex.sx brotli.yastatic.net et.yastatic.net
yabro1.zen-test.yandex.ru main.zdevx.yandex.ru yastatic.net home.yastatic.net;

To do this the filter replaces
'default-src' with 'default-src https://local.ptron:8443 ',
'img-src' with 'img-src https://local.ptron:8443 ',
'script-src' with 'script-src https://local.ptron:8443 ',
'style-src' with 'style-src https://local.ptron:8443 '

It also adds 'unsafe-inline'.
Add Thank You Quote this message in a reply
Post Reply 


Messages In This Thread
RE: Something like “decentraleyes” for Privoxy… - JJoe - Apr. 03, 2019 12:40 AM

Forum Jump: