Replace Google-supplied javascripts -- How?

[markfilipak]

Hello All,

Here: https://forum.palemoon.org/viewtopic.php?p=57961#p57961,

You can direct your efforts towards the Noscript extension, which does exactly this: replace essential scripts (that, if blocked, break functionality) that perform analytics/tracking with its own safe version.

Is this so? Noscript will replace the javascripts found at googleapis.com (and others) with it's own javascipts from which the spyware has been removed?

Background/Details:
Much of the Internet has gone dark to me because I use this: http://winhelp2002.mvps.org/hosts.htm. These type of "links":

Code: Select all

<a class="title" data-goto="08da052d-6336-4e53-a1a1-70797dde9d3f" data-url="/news/solar-impulse-breaks-record-for-longest-sun-powered-flight/">
<div class="col-1"><div class="progress">2</div></div>
<div class="col-3"><div class="hed">Solar Impulse breaks record for longest sun-powered flight</div><span class="topic">Sci-Tech</span></div>
</a>

rely on Google-supplied scripts to interactively add the 'href' attributes. Since I don't allow these scripts to load, the 'href' attibutes don't get added and the "links" don't do anything.

Never mind that 99.9% of all the links could be static links, 'webmasters' apparently don't care. Google spyware makes their lives easier, so they don't care. When I confront them, they say, "Why don't you use Chrome?".

[barbaz]

Yeah, that's some pretty messed up stuff. Please provide the URL of the site that does that.
(Although I think I can come up with something with the information you gave, I can't be sure it's the best solution.)

[markfilipak]

Yeah, that's some pretty messed up stuff. Please provide the URL of the site that does that.
(Although I think I can come up with something with the information you gave, I can't be sure it's the best solution.)

Sorry to be gone so long. I forgot that some versions of phpbb don't automatically subscribe the thread starter to his own thread.

I can't get into the following sites: EBay, CNet, IMDb -- those are off the top of my head.

The symptom is this: I can log in, and see my user settings, but when I try to access the site's main contents (seller listings, news articles, movie listings) I'm no longer logged in. If I try to log in from the main settings, it silently fails. If I try to trick the system by registering (just as a workaround), the system says I'm already registered and it shows I'm logged in (for example, by displaying my name), but when I return to the main consents, I'm not logged in.

This all started about 1-1/2 months ago. The only thing I can figure out is that a lot of sites are using Google-supplied javascript and json, and those scripts changed for everyone at the same time because Google changed them. I show the symptom because I block Google code. That didn't used to matter, but as of about 1-1/2 months ago, the Google code started appearing as dynamic links and buttons. Static links and buttons (i.e., normal hrefs and normal submits) work, but the Google-driven links and buttons (like the code I posted in this thread starter) don't work.

I was told that Noscript would help... that Noscript would patch out these new, non-functional Google scripts, but I don't think that's right.

In the (Mozilla) Pale Moon forum, I explained all this, to which someone recommended Noscript. I read the Noscript product description and it seems to be simply a blacklist tool, not a script-replacer. ...let me explain...

Suppose Google supplies a script named "arf.js". If I block everything coming from the google.com domain and Noscript supplies a safe & sanitized "arf.js" (that is not spyware), then web sites won't know the difference and will work with the Noscript version of "arf.js". However, I don't believe that Noscript works that way.

Please tell me I'm wrong and that Noscript will cure my problems. I could "fix" the Google javascripts by removing their spyware code and then give those healthy scripts to Noscript to use. Note that most of the Google-supplied javascript is open source, but has been modified by Google (example: json).

I hope what I've written here makes some sense to someone. Google is taking over the Internet by supplying code it controls. Webmasters are using that code because it makes their jobs easier. It's what the Nazi's called a "fifth-column" operation.

PS: I should point out that I fingered Google because I tracked HTTP headers that DID NOT COME FROM GOOGLE SEARCH and found that my links were being redirected through Google servers anyways. I didn't see it explicitly until I used the 'Live HTTP Headers' plugin. To back up slightly, I installed 'Live HTTP Headers' because I did see the word "Google" flash by. ...Errr, what do I mean? Suppose you mouse-over a link that says "http://somewhere.com/something.htm', but when you clicked it, you saw the browser's status bar momentarily flash ...google.com... You would get suspicious, right? Well, that's what happened that prompted me to install the 'Live HTTP Headers' plugin.

[markfilipak]

Okay, I went ahead and installed the Noscript plug-in.

It's a blacklist manager, plain and simple. It does not make 3rd-party javascripts safe.

If anyone can contact the developer of Noscript, I have a need that could be added to Noscript that would make it KILLER!!!! I will even work to make it happen... free, no charge, no kidding ----- I'm a retired engineer who personally would like nothing better than to bust Google's chops.

Please ask the developer to contact me.

Thank You.

Google = evil, evil, evil, evil, evil, evil, evil, evil, evil, evil, evil, evil, evil, evil, evil, evil, evil, evil, evil, evil ... ... ...

[Thrawn]

NoScript does have the capability to do exactly what you describe. Giorgio describes it on his blog:

Script Surrogates vs Google Analytics
Script Surrogates Quick Reference

There are over 40 built-in surrogates for various tracking sites. The quick reference above should give you an idea of how to add your own. We're also happy to help write surrogates for specific situations. As barbaz mentioned, if you can supply exact URLs for the pages that break, we can analyse them and try to assemble a surrogate to un-break them.

[barbaz]

Sorry to be gone so long. I forgot that some versions of phpbb don't automatically subscribe the thread starter to his own thread.

Change that here ucp.php?i=prefs&mode=post

[Thrawn]

Does this surrogate help with the original situation?

Property

Code: Select all

noscript.surrogate.html5DataUrl.sources

Value

Code: Select all

!@*

Property

Code: Select all

noscript.surrogate.html5DataUrl.replacement

Value

Code: Select all

var anchors = document.getElementsByTagName('a');
for (i = 0; i < anchors.length; i++) {
  if (typeof(anchors[i].dataset['url']) !== 'undefined' && anchors[i].href === '') {
    anchors[i].href = anchors[i].dataset['url'];
  }
}

[barbaz]

Value

Code: Select all

!@*

Should this be

Code: Select all

!@.*

?

[markfilipak]

THANK YOU ... THANK YOU ... THANK YOU ... !!!

(Uh, sorry for the exuberence.)

It's 2-o'clock in the morning here, so I'll have to get to this when I awaken...

I read a bit of this: Script Surrogates vs Google Analytics, (written in 2009, eh?), and I can tell you that in the last 1-1/2 months, these scripts (I suspect 'googleapis.com') shifted into overdrive. I don't grok the surrigate syntax, but I will learn.

I don't know what a "document.getElementsByTagName('a').dataset['url']" property is, but I will try to figure it out. I'm pretty good at JS. I don't usually do named elements ...isn't "dataset['url']" simply "dataset.url"?

PS: In addition to <a>-elements with no 'href' attribute, I'm also seeing links that are really <div>-elements. The Google code must be adding event listeners to the <div>-elements that fire into ...oh, what the hell is the name of them... scriptlets that fetch server values without either loading a new page or reloading the existing page... they're used to make browser-based applications... I think Microsoft created them... I can't remember the name of them. Ah! Ajax.

[barbaz]

PS: In addition to <a>-elements with no 'href' attribute, I'm also seeing links that are really <div>-elements. The Google code must be adding event listeners to the <div>-elements that fire into ...oh, what the hell is the name of them... scriptlets that fetch server values without either loading a new page or reloading the existing page... they're used to make browser-based applications... I think Microsoft created them... I can't remember the name of them. Ah! Ajax.

The only time I have tried to create a surrogate for a page's ajax before is for my lazy load images surrogate, but generally I had dismissed surrogateing ajax as too complicated and site-specific...

If these Google scripts are sitting on "ajax.googleapis.com" then one thing you could try is look at the name of the script(s) (you can see the full details of Google requests you're blocking, right?) and download those scripts from a site you trust and set them up as file: URL surrogates (put a file: URL pointing to the downloaded script file in place of the replacement, and NS will run that file; sources matches the blocked googleapis script). People have asked about doing exactly this for googleapis jquery elsewhere on the forum, where I've pointed them to the official jquery site and Microsoft's CDN (aspnetcdn) as sources for downloading jquery. Basically if you download the scripts from the official site or a CDN you trust you should be fine.

[markfilipak]

Hi,

First, I must say that I'm so relieved. I wondered whether this was all in my head. I feel like a recovering addict. I thought I was the only one who was having these problems. I was even ridiculed by people who thought I should just run Google Chrome, stop worrying, and live a happy life.

...generally I had dismissed surrogateing ajax as too complicated and site-specific...

...you can see the full details of Google requests you're blocking, right?

No, I can't. You see, I'm using a custom HOSTS file to do the blocking, so I get no notice when the browser is directed to 'http://0.0.0.0' by the HOSTS file's local DNS. I have not found a tool that will expose the sources of objectionable javascripts conveniently. The best is probably the Network logger of the Firefox Web Console. But it's not tied in with a blacklist or the HOSTS file, so it's a bit too verbose in things I don't care about and too terse in things I do.

What occurs to me is 2 approaches: 1, an AI that can "see through" what Google is doing and that can rewrite javascripts on the fly, or 2, a publicity campaign to promote 'http://winhelp2002.mvps.org/hosts.htm' to get even a small minority of people to use its HOSTS file. Either is a very hard slog through deep mud that would suck us under. I'm not at all familiar with what you folks here call 'surrogates', but it seems that such an ad hoc approach is doomed to fail.

I think a blacklisting HOSTS file is the simplest, most effective approach that people will understand. Commerce will abandon Google if even a few-percent of people stop visiting their sites because they stop working.

PS: Another "solution" is anonymizers that would make big data useless.

[Thrawn]

Value

Code: Select all

!@*

Should this be

Code: Select all

!@.*

?

Well, having just an asterisk seems to work for me. Based on the existing surrogate sources, I believe it's a url matcher unless it starts with a carat.

It's 2-o'clock in the morning here, so I'll have to get to this when I awaken...

Get some sleep ! Let us know if the provided surrogate works when you get to it.

I don't grok the surrigate syntax, but I will learn.

The 'replacement' property is just JavaScript. The property naming convention is described in the quick reference: you need a 'sources' property to describe which sites to run it on, and a 'replacement' script that will run.

I don't know what a "document.getElementsByTagName('a').dataset['url']" property is, but I will try to figure it out.

HTML5 introduced a syntax where any element can have attributes called data-xxx, and then you can access them as element.dataset['xxx']

I don't usually do named elements ...isn't "dataset['url']" simply "dataset.url"?

Probably. Is there a performance difference?

In addition to <a>-elements with no 'href' attribute, I'm also seeing links that are really <div>-elements.

Interesting. Do these divs contain the actual URL that they should link to? If so, then it's pretty straightforward to extract it and make a link.

[barbaz]

I was even ridiculed by people who thought I should just run Google Chrome, stop worrying, and live a happy life.

(emphasis mine)
I'm pretty sure you mean "trolls"
No "legitimate" person would give you that kind of bull-dookie.

I have not found a tool that will expose the sources of objectionable javascripts conveniently.

Tried HTTPFox?

What occurs to me is 2 approaches: 1, an AI that can "see through" what Google is doing and that can rewrite javascripts on the fly, or 2, a publicity campaign to promote 'http://winhelp2002.mvps.org/hosts.htm' to get even a small minority of people to use its HOSTS file.

(1) is simply impossible for JS-based sites. It may, however, be more realistic for sites that adopt the future Web scripting language wasm.
How will (2) block Google? Google domains are not blocked in that HOSTS file, I thought you said you had to customize your HOSTS file to block Google...

I'm not at all familiar with what you folks here call 'surrogates', but it seems that such an ad hoc approach is doomed to fail.

No it's not. Unless Mozilla seriously screws the Gecko add-ons platform in some horrible way, it's not "doomed" to anything. Even then, besides, you're using PaleMoon which is far saner on this kind of thing and less likely to kill useful functionality such as that which makes surrogates possible.

[markfilipak]

I'll write more in a few days. Right now I'm buying a new car so I'm a little distracted. But I just read your responses and ... well, I wanted to say that it's been a long time since I last fell in love, but I think I'm falling in love with you guys. Thanks for being ...............helpful.

[barbaz]

You're welcome