Forced Surrogates

[Pom]

(in a scenario where the surrogate is an untrusted third party such as GA)

And in a scenario where the surrogate is first party and that first party site has Javascript disabled, then the surrogate is simply not used.


Your misconception may come from the fact that you believe surrogates are actual code, but they are not. They're empty, void, blank, they don't do anything, their only goal is to make the script that called them (the one you allowed, such as example.com) think that the forbidden script is present.

Just learn to read the code yourself if you're that doubtful. Surrogates are especially simple to review.

[Thrawn]

Well explained, thanks

[nobody0]

hello Pom.
i'm very sorry for such a late reply.i had been extremely busy.

How can you be so concerned on security and still be running on Firefox 11 ? :p
This thing is completely compromised, albeit less so thanks to NoScript.

Pom,i know you are somewhat trolling with this one,but you bring up a good point.
so,i'll gladly answer you.

there is a huge difference between someone who wants a secure browser,VS a barebones browser.
not to mention,someone who wants a secure browser,AND a barebones browser.

while i agree 11 has some security problems.it's still more secure than 29,29.0.1,or even 30,because they are crammed
full of garbage.(this obviously creates a lot of security holes.)
in 11 if it's not there.then,it can not be exploited.
not to mention,11 is almost the same as 3.6.28.(with a couple of less problems.)
that's why i,& so many other people use 11!

i know you are somewhat joking,but you are wright.
making 11 as secure as possible with NS is a huge priority.

just for the record:when i say,"i want the page to be intentionally broken!"
i mean,"i want the page to be intentionally broken!!!"
why would i want some garbage to appear within a page,unless i tell it to!?(clearly,i don't!!!)


hello Thrawn.
again,i'm very sorry for such a late reply.i had been extremely busy.

if i block google-analytics.com.(through untrusted,or ABE.)
then,i intentionally want the page to be broken.
do you see my point!???

No. I have no idea why you actually *want* the page to be broken? And by 'broken' I mean "ordinary page functions,
like clicking buttons, do not work". If surrogates can safely fix that, why do you want it broken?

'cause i don't want the buttons,log in/report a bug boxes,games,videos,or anything else to work unless i tell it to work!
like i said,"i want the page to be intentionally broken!!!"(and i mean it!!!)

example1...
good!

example2...
good!

example3:i go to example.com,& allow it's js to run.with google-analytics.com(untrusted.)
the GA surrogate does nothing.(it only fixes js errors.)correct:YES,or NO???

The surrogate will run, which (we hope) will fix JS errors by providing blank objects to the page, and that's all.

okay,while a little annoying.as long as the surrogate only shows empty placeholders for different objects,fixes js errors,& doesn't activate anything else.
i guess,i'm okay with it.i'll put up with it.

example4...
my answer is also the same as i gave for example3.

example5:i go to example.com,& allow it's js to run.now,i (temporary)allow google-analytics.com to run.
the GA surrogate stops the google-analytics.com from running. as if google-analytics.com was never there.
then,GA surrogate sanitizes GA's data collection.after that,the GA surrogate activates for example:example.com's log in box,report a bug box,a game,or a video that the actual google-analytics.com was supposed to activate.
...AND if necessary,the GA surrogate fixes js errors.
correct:YES,or NO???

Absolutely NO. If you allow GA, then the surrogate does not run, the real script does. The surrogate is not about sanitising, overriding, interfering, or anything of the kind. It only operates when the real script was blocked.

THIS IS HORRIBLE!!!THAT'S EXACTLY WHAT I DON'T WANT!!!

so,"i was wright" from the start!
i'm sorry i didn't make my self "more" clear.when i said,"the real google-analytics.com would run." (dam it!i knew it!)

let me get this straight:
if i "don't want" the buttons,log in/report a bug boxes,games,videos,or anything else to work.
they will work.

if i "do want" the buttons,log in/report a bug boxes,games,videos,or anything else to work.
first,i would have to turn off/destroy all surrogates.(just so they don't work,because i don't want them to work.)then,
temporary allow google-analytics.com to run.(and we all know how bad google-analytics.com is!)
so,after that,the GA surrogate does nothing. (are you kidding me!???)

Thrawn,please explain to me what (personally) possessed you,Giorgio,or any of you to think:that,"unless" we want
the buttons,log in/report a bug boxes,games,videos,or anything else to work.they should work/appear!?????

if anything,the GA surrogate should "only,only,only" override the google-analytics.com when the google-analytics.com is (temporary)allowed."then,& only then" should the GA surrogate allow the buttons,log in/report a bug boxes,games,videos,
or anything else to work/appear!!!
(this should obviously apply to all other surrogates.)

seriously,am i the only one who thinks this is better!???

good to know that the GA surrogate ignores the example.com/ga.js!

All that achieves is to break example.com - and I don't understand why you want to do that.

again,you are assuming that example.com/ga.js is a legitimate copy of google-analytics.com/ga.js.
it doesn't mean,"i want it to run!"

this ABE rule has "never" broken any functions on any of the billion websites that i had visited.
# ANNOYANCES BLOCK
Site .*/*ga.js*
Deny

i'm sure it will happen eventually,but so far no problems!

now,if example.com/ga.js is "not" a legitimate copy of google-analytics.com/ga.js,altered,or malicious.
then,obviously using my ABE rule is a good idea!
better safe than sorry! (wouldn't you agree!?)

just so we are clear:you are referring to example.com/ga.js!?so,then the GA surrogate does nothing,because the GA surrogate doesn't recognize the example.com/ga.js exactly the same as google-analytics.com/ga.js.(as you said above.)
so,the surrogates aren't relevant then!???
correct:YES,or NO???

If there is no surrogate defined for example.com/ga.js, then surrogates have no relevance.

close enough.it's pretty much what i had said.

however,i knew that the surrogates can activate different modules inside the websites.(such as:log in/report a
bug boxes,games,videos,sanitize data collection,& give data-less results to google when you search for something.)

I think you still misunderstand. Surrogates do not 'activate' things. They do not call external scripts.

no,you misunderstood me.i am "not" talking about external scripts.(like i said,"any new external scripts would show up as new domains/sites in noscript's pull down menu.business as usual.)

these things "are" hosted on the example.com.

if i didn't have it,i would be exposed to the bad stuff inside example.com/ga.js.
then again,you take a risk like that everytime you allow js from any website.(lets hope ClearClick catches something if
applicable.)
so,business as usual.

Yep. Business as usual.

finally,for the 1st time we actually understood each other 110%.

like i said,"if Giorgio said:the surrogates "only,only,only fix js errors," & don't activate anything until the user for example:(temporary)allows google-analytics.com." (pretty much business as usual.)
that would be great,but he never clearly said that!?did he???
see the problem!?

If you want to use the surrogate, then DO NOT ALLOW GOOGLE-ANALYTICS.COM. The surrogate should make it unnecessary.

Is that clearer?

yes,much clearer.thank you!
however,like i said,"this is a horrible way of doing this!!!"

as far as your second reply...lol,its an interesting/good analogy,but not really necessary.
i knew 98% of this before my first post.like i said,"it's just the way Giorgio phrased things sounded like the surrogates will work no matter what."
it just threw me for a loop,that's all.

after all,surrogates=replacement/substitute.
pure,& simple.(i knew that.)

But I think you misunderstand the mechanism.

The surrogate is not jumping in and sanitising the real script.
It is filling the void left behind by the real script being blocked.

no,you misunderstood me again.
what i said was,"the surrogate will replace the real script."
i knew that the surrogates "do not" sanitize anything inside the real script for the last 20-22 years!(if they did.they
would not be "true" surrogates.now,would they!?)

again,surrogates=(complete)replacement!
now,that would be a real surrogate!

a better analogy would be:your car's entire engine is too damaged.so,you found another engine from another car,model,
company,& manufacturer that will fit/connect perfectly in/to your car.
that would be a good surrogate/replacement/substitute!
OR
you need a new kidney.
so,you get a kidney transplant from someone who is not your relative.
while your new kidney is not perfect,or without it's problems.
it's still an okay surrogate/replacement/substitute.

[Sam]

I think you're pretty much wasting your limited time writing such long replies while you could just read the bits of code yourself.

Here's a reference that helps figuring out how a specific surrogate is going to run.

Here's Google Analytics's:

Code: Select all

(function(){var _0=function()_0,_u=function(){};_0.__noSuchMethod__=_0;('ga'in window)||(ga=_u);with(window)urchinTracker=_u,_gaq={__noSuchMethod__:_0,push:function(f){if(typeof f=='function')f();else if(f&&f.shift&&f[0]in this)this[f.shift()].apply(this,f)},_link:function(h){if(h)location.href=h},_linkByPost:function(f){if(f&&f.submit)f.submit();return true},_getLinkerUrl:function(u){return u},_trackEvent:_0},_gat={__noSuchMethod__:function(){return _gaq}}})()

Do SHIFT+F4, then paste it into the window that popped up. Click "format and indent", a button located in the top right corner.

Wait no, not sure you can do so in Firefox 11. Here it is then, without the fancy coloring of Firefox dev tools:

Code: Select all

(function () {
    var _0 = function () _0,
    _u = function () {
    };
    _0.__noSuchMethod__ = _0;
    ('ga' in window) || (ga = _u);
    with (window) urchinTracker = _u,
    _gaq = {
        __noSuchMethod__: _0,
        push: function (f) {
            if (typeof f == 'function') f();
             else if (f && f.shift && f[0] in this) this[f.shift()].apply(this, f)
        },
        _link: function (h) {
            if (h) location.href = h
        },
        _linkByPost: function (f) {
            if (f && f.submit) f.submit();
            return true
        },
        _getLinkerUrl: function (u) {
            return u
        },
        _trackEvent: _0
    },
    _gat = {
        __noSuchMethod__: function () {
            return _gaq
        }
    }
}) ()

Then read or go learn how to read, it will be way shorter than writing your huge posts which nobody understand and thus nobody can reply properly, meaning you will never be satisfied in any reasonable amount of time.


Google Analytics surrogate source field has no prefix so according to the reference I linked, it falls in this category:
- blocked script surrogate
matches blocked scripts
runs only if page is script allowed
runs when the blocked matched script would have

So it won't run unless you allow JS on example.com, that website you're visiting which tried to load GA. GA itself won't run but example.com will work as expected from you since you allowed it to run JavaScript.

Why you would allow JS and still want a website not to work is beyond me, but whatever floats your boat you can still modify surrogates yourself. Here's a blank surrogate:

Code: Select all

(function () {}) ()

Security wise, Firefox 11 is certainly compromised even with NoScript's strictest security settings. CSS, SVG, cross-origin policy bugs, compromised SSL certificates, you name it, I would not touch it with a ten foot pole. You can patch it all you want you're pretty much guaranteed to miss stuff, and you would arguably better spend that time disabling all those fancy features you don't like in Firefox 30 or Firefox 24.6 ESR. But again that's just educated advice, you can do whatever you want.


Apologies for the expeditious tone, it's not directed at you I ended up being in a hurry and cut short with courtesy to get to the point.

[Thrawn]

Absolutely NO. If you allow GA, then the surrogate does not run, the real script does. The surrogate is not about sanitising, overriding, interfering, or anything of the kind. It only operates when the real script was blocked.

THIS IS HORRIBLE!!!THAT'S EXACTLY WHAT I DON'T WANT!!!

Then don't allow google-analytics.com. Problem solved.

Or if a script is hosted at example.com/ga.js, then don't allow example.com. Problem solved.

Surrogates are irrelevant to this.

[nobody0]

hello Sam.
thank you for your helpful advice "in not at all" passive-aggressive tone/way.
for the record,unless you directly insult me.i don't care.

lol.you hate reading this mess!? imagine how i feel about dealing with this first hand!

look,if it bothers you.(it certainly bothers me.)
then,ask Thrawn,or one of the other mods to sanitize this whole thread.
there should be nothing left but my 1st post.

post#2
Postby Giorgio Maone » Sat Jun 21, 2014 blah,blah.

yes/okay i will do it.

OR

NO, NEVER.

Giorgio doesn't even need to give a reason why he is saying no.

THAT'S IT! THAT'S HOW THIS THREAD SHOULD HAD BEEN DONE!


i had said everything there is to say about every little detail gazillion times.Sam,since you like short replies.i will only repeat what's relevant/important.

#1
for the gazillionth and 1st time in a row:
i intentionally don't want to know how bad js(for example:google-analytics.com) ,or how the surrogates(for example:GA surrogate) work.

DOESN'T MATTER WHY! we are not even going to waste time discussing it!


#2
just because i allow js to run on example.com.it doesn't mean i want the surrogate to make anything (directly,or indirectly) to appear.
9 out of 10 times whatever appears is non essential to the functions of example.com.

I HATE IT!!! I DON'T WANT IT THERE!!!
"unless,& only unless" i tell that garbage to appear.

when i say,"I INTENTIONALLY WANT THE PAGE TO BE BROKEN!" i mean,"I INTENTIONALLY WANT THE PAGE TO BE BROKEN!"

really,WHO CARES WHY!??? (IT'S NOT IMPORTANT!)

WTF DOES NO ONE UNDERSTAND THIS/ME!??? am i speaking in a different language???

'Nuff Said.


@ Thrawn.
no,no,& no.
you had lost focus completely...

i'll repeat:
if i allow js to run on example.com.it doesn't mean i want the surrogate to make anything (directly,or indirectly) to appear.

THIS IS HORRIBLE!!!THAT'S EXACTLY WHAT I DON'T WANT!!!

this has nothing to do with example.com/ga.js


Thrawn...if you care. read what i had said to Sam above.
AND
before i literally die of old age...Thrawn,please,please,pleeeeeeeaaaaasssee, ask Giorgio to answer my very 1st post.
THANK YOU!!!

[Sam]

thank you for your helpful advice "in not at all" passive-aggressive tone/way.

See last line of my previous post. It's what I call no fancy pants language! (I don't like it even if it does get down to things fast)

you hate reading this mess!?

No it's funny.

it certainly bothers me

That's the least I would expect *patpats*

i intentionally don't want to know how bad js(for example:google-analytics.com) ,or how the surrogates(for example:GA surrogate) work.

Your attitude reminds me of those guys who just don't want to hear about vaccines. You'd save so much time and suffering by just following our advice but as I said, whatever floats your boat.

we are not even going to waste time discussing it!

Regarding your very first post:

i hope i'm wrong,but does this mean:bad js will run(on some level) even if it's blocked by ABE!?
please tell me i'm wrong!

You are right in the parallel universe where NS surrogates are bad JS.
Assuming Giorgio doesn't add the about:config pref that you are requesting you can still, and I'm going to surprise you a lot, learn how to read the surrogates
You can then "sanitize" them however you like, since I assume you don't want to disable them completely. But I hope you are conscious that NoScript has a load of code that runs in your browser with important rights and you have no idea what it really does when surfing (there are lots of specifics). Distrusting just the surrogates which represent the easiest bit of code to grab and modify makes no sense, so I'll just sit back.

I hope you won't catch Ebola.

[nobody0]

hello Sam.

thank you for your helpful advice "in not at all" passive-aggressive tone/way.

See last line of my previous post. It's what I call no fancy pants language! (I don't like it even if it does get down to things fast)

you clearly didn't see that i put a smiley after that.which means:i'm okay with that "joke" of yours.
yes,i did see your last statement.

let me guess,you also think these are not insulting:
Your attitude reminds me of those guys who just don't want to hear about vaccines.
...and I'm going to surprise you a lot, learn how to read the surrogates.
But I hope you are conscious that NoScript has a load of code that runs in your browser with important rights and you have no idea what it really does when surfing (there are lots of specifics).

if you "think," i don't know about the benefits,& harms(especially long term) of vaccines,or the harms of the mercury they are stored in.
AND
you "think," i had never read the webpage code,js code,or the surrogates code.
OR
you "think," i don't know how much code,& other stuff NoScript injects into a page.

well,that says more about you than me! (i'm not being sarcastic,& if you are offended by it.fine!)
don't insult my intelligence!it's not like i'm trying to insult you!
i also hope you "don't" catch ebola.

you hate reading this mess!?

No it's funny.

please,tell me you were being sarcastic!?
this mess is truly sad,& not at all funny.

we are not even going to waste time discussing it!

unfortunately you had forced me to discuss it. "thanks a lot."

i had read a lot of bad js code,& webpage code.THAT TRACKING SHIT CREEPS ME OUT!!!

if someone did that to you in real life.not only would they be arrested for being one of the creepiest stalkers ever,but they would also be arrested for identity theft! (DID I MENTION HOW COMPLETELY CREEPY TRACKING IS!!!)

that's why i don't read the bad js code!!!

while i trust Giorgio,& others like him to make good surrogates.it doesn't mean i want to cross reference what the surrogates are sanitizing in the real the bad js.

did i really need to waste time explaining this!???

i hope i'm wrong,but does this mean:bad js will run(on some level) even if it's blocked by ABE!?
please tell me i'm wrong!

You are right in the parallel universe where NS surrogates are bad JS.

when i said,"bad js." i meant,"bad STUFF."
SORRY,MY FAULT.

not sure where you got the idea that the bad js=surrogates!?

i'll make this as simple as possible:surrogates=very good! (unless,they run without my permission.)

Sam,thank you for catching that.


@ Thrawn.
in my 1st post.could you please change:i hope i'm wrong,but does this mean:bad "js"
to
i hope i'm wrong,but does this mean:bad "stuff"
thank you.

[Sam]

So you are kinda ish-y anti-vaccines and stuff. Fine fine, it's my bad for sharing advice with random people I know nothing about

Let us know if you figure out a satisfying workaround to your concerns in case Giorgio doesn't implement your about:config pref. I'm sure a lot of people who believe pyramids were built by aliens from outer space would be interested.

Sorry sorry, that was a little disrespectful but this situation is too funny. I promise, I back out forever now. Sincere cheers nobody0

[nobody0]

@ Sam.
while vaccines are good.you think they are 100% safe,& you think the aliens build the pyramids.
wow,do i feel sorry for you.

say thank you to barbaz for this:in about:config:set noscript.surrogate.enabled to false. (it's the only thing that comes close.)

since there's no doubt in my mind who i'm dealing with.feel free to get the last insult in,& good bye.

[Thrawn]

while i trust Giorgio,& others like him to make good surrogates.it doesn't mean i want to cross reference what the surrogates are sanitizing in the real the bad js.

did i really need to waste time explaining this!???

This and your earlier comments makes it clear that you don't understand how surrogates work. There is no such thing as surrogates sanitizing the real JS. If you don't understand that, then you don't understand surrogates.

Please set aside all preconceived notions about surrogates - wipe the slate clean - and then read this. Then come back and see if we can get to understand each other.

[nobody0]

hello Thrawn.
siiiiggghh.

1.)please alter my very 1st post like i had asked you above.
2.)i do know how the surrogates work!!! i just phrased it funny.
for the 10th time in a row:surrogates=(complete)replacement!
if the real bad js doesn't run,how can the surrogate stop anything from working inside the bad js. IT CAN'T!!!
i hope i phrase this a little better:i meant:when the surrogates run(and not the bad js). the surrogates don't allow any event listeners,data collection,or tracking to be done.this won't be sent to the site you are on in one way,or another.(for example:ajaxlog.txt,server side,or whatever.)

did i phrased it better,or worse???

3.)for fuck sakes who cares why,& how...PLEASE ASK GIORGIO FOR THE FEATURE REQUEST before i literally die of old age.

[Thrawn]

1.)please alter my very 1st post like i had asked you above.

The discussion afterward might be valuable to someone.

for the 10th time in a row:surrogates=(complete)replacement!

Not exactly. Surrogates give the page an illusion of the bad JS, but it is only an empty shell.

if the real bad js doesn't run,how can the surrogate stop anything from working inside the bad js. IT CAN'T!!!

I don't understand what you are talking about? Who needs to "stop anything from working" when the whole bad script is blocked?

i hope i phrase this a little better:i meant:when the surrogates run(and not the bad js). the surrogates don't allow any event listeners,data collection,or tracking to be done.this won't be sent to the site you are on in one way,or another.(for example:ajaxlog.txt,server side,or whatever.)

Correct; nothing is sent anywhere. I'm not sure why you're still worried. I think you're still under the misapprehension that the surrogates are modifying the bad JS in some way. They are not; that is a very incorrect view of the situation. They are simply filling in the gaps left behind when the bad JS was completely blocked.

PLEASE ASK GIORGIO FOR THE FEATURE REQUEST before i literally die of old age.

I'm certainly not going to do that. I'm not entirely sure what you want, but it's clear to me that the threat you're concerned about doesn't exist. Surrogates are not, in any way, dangerous. If you really want to destroy them, you can simply delete them from your browser, but if you feel the need to do that, then you don't understand them.

[Thrawn]

If we keep talking in circles, then unless someone else objects, I'm going to lock this thread against further comments.

[Pom]

I would assume Giorgio already read your first post since he does participate in this forum, but in the mean time I would still like to understand your use case.

What you really want is the ability to:
1- Replace a third party script with its NS surrogate
2- Have the surrogate run on any website that requires the third party script
3- Have the surrogate NOT run on websites that require the 3rd party script if an ABE rule or Adblock Plus explicitly forbid that script

Right ?

I would like to understand what use you have for point 3.
For instance a category of surrogates run when JS is disallowed. You can search for "!" in about:config to find them. Anyway, they will fix broken links or hide screen blockers, allowing you to click on links or see the page without having to enable JavaScript. Under which conditions would you not want for this to happen ? If you can describe this in the clearest possible terms that would be very nice, plus maybe then we could help you figuring out a better workaround than disabling all surrogates in the likely event that Giorgio doesn't implement your feature.