Local Replacement for ajax.googleapis.com (feature request)

Bug reports and enhancement requests

Local Replacement for ajax.googleapis.com (feature request)

Postby mellpell » Mon Apr 28, 2014 3:44 pm

Hi Developers,

I would like to propose an enhancement to NoScript to improve browser performance and enhance end use privacy and security.

On reading over the change-log for NoScript, I came across the following item:
x [Surrogates] Fixed Google Analytics surrogate breaking some javascript: links (thanks Will for reporting)

Google Analytics is a tracking feature used my many web sites to follow browser use across different websites. Google Analytics is widely used because it is easy to implement and because web developers ( and their customers ) consider Google to be a more reliable source of statistics than their own web server logs.

Now that NoScript is around, Google is rethinking how they can reliably track people without Google Analytics. They have a clever work around for the problem: force people to load jquery via SSL from Google servers. Since jquery is used by seemingly every single web site, and "best practice" is to load jquery from Google, there is a virtual certainty of tracking all modern browsers this way.

This man has figured out how to server a local copy of jquery from an Apache instance hosted on his local machine:
http://development.genusa.com/?p=211

While I admire what he is doing, I think that the number of people willing to go to the trouble is pretty minimal. Moreover, the proper place to put this is in the browser so you don't have to deal with SSL proxy issues.

Jquery is an abomination. I would much prefer to browse the web with JavaScript turned off, but for many ( if not most ) sites, that is not possible. The next best thing is to control the content of the js that reaches my machine. Please consider adding this enhancement to NoScript. it would:

*) Enhance browser security. The ajax.googleapis.com server must be the holy grail of hackers. It would also be a preferred vehicle for malicious governments or corporations to target individuals or entire countries. Likewise jquery.org and Google are trusted with a shockingly large percentage of the total infrastructure of the web. Recently, that trust has been placed in doubt. Jquery has also been subject to exploits in the past:http://www.cvedetails.com/vulnerability-list/vendor_id-6538/Jquery.html

*) speed up web browsing. jquery 2.1 is 86kB. All of the HTML on my site is 32kB uncompressed. Enough said.

*) enhance privacy. Google and jquery.org ( a private organization sponsored by many of the largest companies in the world) are using jquery to track your browser. They are doing it right now.

While doing research to back up this request, I came across this site:
http://www.awwwards.com/websites/jquery/
giving awards to the best jquery sites. I sampled a few of them and found that a surprising number of them are hosting jquery themselves. This is a new trend resulting from the Snowden revelations. The web developers don't trust Google.

Thanks for your consideration.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
mellpell
 
Posts: 3
Joined: Mon Apr 28, 2014 2:41 pm

Re: Local Replacement for ajax.googleapis.com (feature reque

Postby barbaz » Mon Apr 28, 2014 4:00 pm

You can already do something similar to what you want by downloading the relevant version(s) of jQuery from its official site and setting up NoScript to block the "offending" scripts and use the downloaded jQuery(ies) as a surrogate script (put the downloaded script's file:// URL in the .replacement pref and a URL pattern matching the relevant blocked script in the .sources pref).
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 SeaMonkey/2.28a1
barbaz
Senior Member
 
Posts: 8724
Joined: Sat Aug 03, 2013 5:45 pm

Re: Local Replacement for ajax.googleapis.com (feature reque

Postby mellpell » Mon Apr 28, 2014 7:03 pm

barbaz wrote:You can already do something similar to what you want by downloading the relevant version(s) of jQuery from its official site and setting up NoScript to block the "offending" scripts and use the downloaded jQuery(ies) as a surrogate script (put the downloaded script's file:// URL in the .replacement pref and a URL pattern matching the relevant blocked script in the .sources pref).



That is a terrific tip. It would be great if that was the default.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
mellpell
 
Posts: 3
Joined: Mon Apr 28, 2014 2:41 pm

Re: Local Replacement for ajax.googleapis.com (feature reque

Postby bonanza » Thu May 29, 2014 11:34 am

barbaz wrote:You can already do something similar to what you want by downloading the relevant version(s) of jQuery from its official site and setting up NoScript to block the "offending" scripts and use the downloaded jQuery(ies) as a surrogate script (put the downloaded script's file:// URL in the .replacement pref and a URL pattern matching the relevant blocked script in the .sources pref).


Thanks for the hint. I gave it a try but it doesnt seem to work. It would be nice if you can help me.

Here my prefs:
Code: Select all
noscript.surrogate.googleapis.replacement
file:///home/user/jquery-git1.min.js

noscript.surrogate.googleapis.sources
https://ajax\.googleapis\.com/ajax/libs/jquery/1\.7\.1/jquery\.min\.js


the link to the local file seems to work ( if copy and paste it into the navigation bar, I see it) but when I'm browsing e.g. https://math.stackexchange.com/ I see red banner:
"Mathematics Stack Exchange requires external JavaScript from another domain, which is blocked or failed to load."
which comes due to the fact that I'm blocking ajax.googleapis.com using RequestPolicy. Is there anything I've missing or I'm doing wrong?

thanks for your help in advance!

EDIT:
I also tried:
Code: Select all
!@https://ajax\.googleapis\.com/ajax/libs/jquery/1\.7\.1/jquery\.min\.js

but without success.
Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0
bonanza
 
Posts: 17
Joined: Tue Feb 05, 2013 9:39 pm

Re: Local Replacement for ajax.googleapis.com (feature reque

Postby barbaz » Thu May 29, 2014 2:49 pm

bonanza wrote:when I'm browsing e.g. https://math.stackexchange.com/ I see red banner:
"Mathematics Stack Exchange requires external JavaScript from another domain, which is blocked or failed to load."
which comes due to the fact that I'm blocking ajax.googleapis.com using RequestPolicy. Is there anything I've missing or I'm doing wrong?

if rp is blocking googleapis and it gets to the request before noscript.. then noscript can't know to run the surrogate
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26
barbaz
Senior Member
 
Posts: 8724
Joined: Sat Aug 03, 2013 5:45 pm

Re: Local Replacement for ajax.googleapis.com (feature reque

Postby bonanza » Thu May 29, 2014 4:36 pm

barbaz wrote:
bonanza wrote:when I'm browsing e.g. https://math.stackexchange.com/ I see red banner:
"Mathematics Stack Exchange requires external JavaScript from another domain, which is blocked or failed to load."
which comes due to the fact that I'm blocking ajax.googleapis.com using RequestPolicy. Is there anything I've missing or I'm doing wrong?

if rp is blocking googleapis and it gets to the request before noscript.. then noscript can't know to run the surrogate


ok, is there any way to control the order of execution?
Btw: Is there any (debug) log where I can check whether the surrogate is working?
Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0
bonanza
 
Posts: 17
Joined: Tue Feb 05, 2013 9:39 pm

Re: Local Replacement for ajax.googleapis.com (feature reque

Postby barbaz » Thu May 29, 2014 4:52 pm

bonanza wrote:ok, is there any way to control the order of execution?

not that I know of
However it seems that NoScript's ABE usually operates *after* script blocking so you could try to make an ABE rule to replace your RP settings for that site.

bonanza wrote:Btw: Is there any (debug) log where I can check whether the surrogate is working?

No but you can insert console.log() calls in your surrogate file where you want to check things. Then you would look at the web console (Ctrl-Shift-K, or at least it used to be that - not sure if that changed though).
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26
barbaz
Senior Member
 
Posts: 8724
Joined: Sat Aug 03, 2013 5:45 pm

Re: Local Replacement for ajax.googleapis.com (feature reque

Postby Thrawn » Fri May 30, 2014 3:52 am

barbaz wrote:you could try to make an ABE rule to replace your RP settings for that site.

Eg something like this:
Code: Select all
Site ^https://ajax\.googleapis\.com/ajax/libs/jquery/1\.7\.1/jquery\.min\.js$
Accept
Site .ajax.googleapis.com
Accept from SELF
Deny

then in RP, allow all requests to ajax.googleapis.com
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0
User avatar
Thrawn
Senior Member
 
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia

Re: Local Replacement for ajax.googleapis.com (feature reque

Postby bonanza » Fri May 30, 2014 9:31 am

Thanks for your help! (But I still dont think its working for me, I will keep on trying ;-) )
BTW there is a firefox addon which claims to do exactly this: 'Local load' http://www.getlocalload.com/

They say that its possible to check whether the replacement is working using Firebug and checking if the SRC has been replaced properly, unfortunately this doesn’t work for me as well. Would this checking using firebug also work with the noscript-method described above?
Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0
bonanza
 
Posts: 17
Joined: Tue Feb 05, 2013 9:39 pm

Re: Local Replacement for ajax.googleapis.com (feature reque

Postby Giorgio Maone » Fri May 30, 2014 12:08 pm

If you want to block ajax.googleapis.com, just forbid it with NoScript ("Forbid ajax.googleapis.com") but don't block it in Request Policy (otherwise your surrogate won't have a chance to run).
math.stackexchange.com is working fine for me with ajax.googleapis.com blocked and the following surrogate:
Code: Select all
noscript.surrogate.localtest.sources;ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
noscript.surrogate.localtest.replacement;file:///home/ma1/noscript/surrogates/jquery.min.js

If you wanted to just replace jQuery, but otherwise load other (not replaced yet) scripts from ajax.googleapis.com, then you should have used "Allow ajax.googleapis.com" but put the following rule in your ABE USER ruleset:
Code: Select all
Site ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
Deny INC


Unfortunately, the above ABE rule does not usually trigger the surrogate at the correct time because of speculative loading: jQuery is loaded before the DOM exists yet, therefore it currently doesn't work.
I'm looking for a work-around to reliably trigger Surrogates on ABE-blocked scripts at the right time, possibly in next release: at this moment your use case is supported only for scripts forbidden in NoScript ("Forbid ajax.googleapis.com").

At any rate, do not block anything you need Surrogate to be triggered by with RequestPolicy
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8640
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: Local Replacement for ajax.googleapis.com (feature reque

Postby Giorgio Maone » Fri May 30, 2014 9:14 pm

Giorgio Maone wrote:I'm looking for a work-around to reliably trigger Surrogates on ABE-blocked scripts at the right time, possibly in next release

Done in latest development build 2.6.8.27rc2, please check it.
Giorgio Maone wrote:At any rate, do not block anything you need Surrogate to be triggered by with RequestPolicy

Not true anymore, I hope. Didn't test yet, but now external scripts surrogates should be triggered by any loading failure of a matching script source, no matter the reason, including RequestPolicy or adverse network accidents :)
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8640
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy


Return to NoScript Development

Who is online

Users browsing this forum: No registered users and 3 guests