Threaded Mode | Linear Mode

***JJoe*** · (This post was last modified: Sep. 16, 2019 04:35 PM by JJoe.)

(Sep. 15, 2019 02:42 AM)thypentacle Wrote: For issue 2 I think I fixed that one on my end by not using Opera.

I use the new Opera portable.

(Sep. 15, 2019 02:42 AM)thypentacle Wrote: For issue 3 here's a few that fail loading...

https://community.quirky.com/login
https://discordapp.com/channels/@me
https://www.linkedin.com/in/thyinnovation
https://teams.microsoft.com (sometimes works sometimes doesn't)
https://www.vudu.com/content/movies/free (loads kinda but is missing most of it... may not be related)

Ahh... Filtering will break web sites.
The user is expected to add 'Exceptions' to 'Exceptions-U.ptxt' to regain desired behavior.
However, I'll claim discordapp and teams.microsoft.com.

Depending on which cfg you are using, 'Exceptions-U.ptxt' needs at least:

Code:

##community.quirky.com/login

aws1.discourse-cdn.com/                     $SET(0=a_adjs.a_jsprop.)

#OR

aws1.discourse-cdn.com:                     $SET(0=a_adjs.a_jsprop.)

##www.linkedin.com/

www.linkedin.com/   $SET(0=a_refer.)

#OR

www.linkedin.com:   $SET(0=a_refer.)

##teams.microsoft.com - Not needed, if nonce is removed from the Content-Security-Policy header.

teams.microsoft.com/   $SET(0=i_loc_j:0.)

#OR

teams.microsoft.com:   $SET(0=i_loc_j:0.)

Discordapp's Content-Security-Policy header uses nonce.

Code:

default-src https://local.ptron:8443 'unsafe-inline'  'self'; 

script-src https://local.ptron:8443 'unsafe-inline'  'self' 'unsafe-eval' 'unsafe-inline' 

https://cdn.discordapp.com/animations/ https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ 

https://recaptcha.net/recaptcha/ https://js.stripe.com https://js.braintreegateway.com 

https://assets.braintreegateway.com https://www.paypalobjects.com https://checkout.paypal.com 

'nonce-NjUsMTgzLDEwMywxOTUsMTI5LDMwLDExNyw4MA=='; style-src https://local.ptron:8443 

'unsafe-inline'  'self' 'unsafe-inline' https://cdn.discordapp.com; img-src https://local.ptron:8443 

'unsafe-inline'  'self' data: https://*.discordapp.net https://*.discordapp.com https://i.scdn.co 

https://i.ytimg.com https://i.imgur.com https://*.gyfcat.com https://media.tenor.co 

https://media.tenor.com https://*.youtube.com https://*.giphy.com https://static-cdn.jtvnw.net 

https://pbs.twimg.com https://assets.braintreegateway.com https://checkout.paypal.com; 

font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://status.discordapp.com 

https://discordapp.com https://cdn.discordapp.com https://router.discordapp.net wss://*.discord.gg 

https://best.discord.media wss://*.discord.media wss://dealer.spotify.com https://api.spotify.com 

https://support.discordapp.com https://sentry.io https://api.twitch.tv https://api.stripe.com 

https://api.braintreegateway.com https://client-analytics.braintreegateway.com https://origin-analytics-prod.production.braintree-api.com 

https://payments.braintree-api.com ws://127.0.0.1:* http://127.0.0.1:*; media-src 

'self' blob: https://*.discordapp.net https://*.discordapp.com https://*.youtube.com 

https://streamable.com https://vid.me https://*.gfycat.com https://twitter.com https://oddshot.akamaized.net 

https://*.giphy.com https://i.imgur.com https://media.tenor.co https://media.tenor.com; 

frame-src 'self' discord: https://*.youtube.com https://*.twitch.tv https://open.spotify.com 

https://w.soundcloud.com https://sketchfab.com https://player.vimeo.com https://twitter.com 

https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/ https://js.stripe.com 

https://assets.braintreegateway.com https://checkout.paypal.com https://*.watchanimeattheoffice.com; 

child-src 'self' https://assets.braintreegateway.com https://checkout.paypal.com;

'Nonce' causes the browser to ignore our 'unsafe-inline' addition and our inline scripts for discordapp.com/channels/@me.
The simple choice is to bypass the affected pages or add Exceptions for the broken routines.
Another is to remove "nonce' from the header.
Warning: This would also allow malicious scripts without the nonce attribute to run.

Code:

[HTTP headers]

In = TRUE

Out = FALSE

Key = "Content-Security-Policy: Remove nonce and hash 19.09.15     [jjoe] (d.0) (In) [add]"

Match = "(\# '(nonce|sha256)-*')+{1,*}\#"

Replace = "\@"

The better (for our point of view) but more time consuming choice would be to capture the nonce and add it to our rewritten scripts.

discordapp is also using the integrity attribute.

Code:

<script src="/assets/dea071166a0cf8791a1e.js" integrity="sha256-0kdB3V4HCTqbit21e3K2rY7ypJiNdjmjyQ9MFnPJHCI= sha512-EtY9vjf3AHCuuRqOurhkNITyJtCXmfgFQmOCD4w/LbtgvstqFufIiFfTetU24nhw+n1CD//myNXaNa59lT9EQg==">

The browser will reject the script if its hash isn't the integrity attribute's value. A filtered script's hash will not match.
The simple choice is to bypass the affected resources. Wink

Warning: This would also allow malicious files to run.

Code:

[Patterns]

Name = "Script: Remove integrity     19.09.15 (multi) [jjoe] (d.0)`"

Active = TRUE

Multi = TRUE

Bounds = "<script\s*>"

Limit = 512

Match = "\1integrity=$AV(*)\2"

Replace = "\1\2"

Name = "Link: Remove integrity     19.09.15 (multi) [jjoe] (d.0)`"

Active = TRUE

Multi = TRUE

Bounds = "<link\s*>"

Limit = 512

Match = "\1integrity=$AV(*)\2"

Replace = "\1\2"

more to come...