I tracked the problem down to the following ABE rule:
Code: Select all
Site *
Accept from SELF++
Anonymize INCLUSION
Accept GET
Anonymize
Code: Select all
Site ^https://geo[0-9]+\.ggpht\.com/.*$
Accept INCLUSION(XHR) from ^https://www\.google\.com/maps.*$
But I am at a loss to explain why the "Anonymize INCLUSION" line was causing a problem in the first place. According to the Rules Specification ...
But I checked the pre-Anonymize headers, and there are no "Authorization" headers. Cookie striping isn't to blame, either, as I had no problem testing with cookies deleted and disabled. Method conversion isn't applicable, as I checked the Browser Console and can see from NoScript's output that the requests it is Anonymize-ing are of type GET. Removing upload data is not applicable, either ...Anonymize (synonyms are Anon and Logout) – strips Authorization and Cookie headers,
turns methods different than GET, HEAD and OPTIONS into GET, remove upload data,
then sends the modified request.
So it seems that Anonymize is doing something in addition to what's documented. Can anyone clarify for me what's going on?