Private_Tab icon indicating copy to clipboard operation
Private_Tab copied to clipboard

Published 20 hours ago verified publisher icon Infocatcher

Enable opening private:///# flag from web pages.

Open nhantrn opened this issue 10 years ago • 6 comments

I notice that the private:///# flag only work on Firefox's XUL level and not on web pages. Can you make it possible on the browser DOM too?

The reason is sometime I open external links in new private tab from the context menu, and I thought I could make a userscript to modify those links with the private:///# flag and have it automatically done for me.

nhantrn avatar May 17 '14 06:05 nhantrn

This was forbidden for privacy purposes and result of URI_DANGEROUS_TO_LOAD flag: https://github.com/Infocatcher/Private_Tab/blob/0.1.7.1/protocol.js#L45-L50

Without this any script from web-page can get private data like cookies. Probably not critical for site itself (but wrong "by design" because "private" should means something private), but not appropriate for some third-party tracking scripts.

Anyway, you still can use GM_openInTab() to open links.

Also other possible flags aren't useful in this case, see http://mxr.mozilla.org/mozilla-central/source/netwerk/base/public/nsIProtocolHandler.idl

    /**
     * +-------------------------------------------------------------------+
     * |                                                                   |
     * |  ALL PROTOCOL HANDLERS MUST SET ONE OF THE FOLLOWING FIVE FLAGS.  |
     * |                                                                   |
     * +-------------------------------------------------------------------+
     *
     * These flags are used to determine who is allowed to load URIs for this
     * protocol.  Note that if a URI is nested, only the flags for the
     * innermost URI matter.  See nsINestedURI.
     *
     * If none of these five flags are set, the URI must be treated as if it
     * had the URI_LOADABLE_BY_ANYONE flag set, for compatibility with protocol
     * handlers written against Gecko 1.8 or earlier.  In this case, there may
     * be run-time warning messages indicating that a "default insecure"
     * assumption is being made.  At some point in the futures (Mozilla 2.0,
     * most likely), these warnings will become errors.
     */

    /**
     * The URIs for this protocol can be loaded by anyone.  For example, any
     * website should be allowed to trigger a load of a URI for this protocol.
     * Web-safe protocols like "http" should set this flag.
     */
    const unsigned long URI_LOADABLE_BY_ANYONE = (1<<6);

    /**
     * The URIs for this protocol are UNSAFE if loaded by untrusted (web)
     * content and may only be loaded by privileged code (for example, code
     * which has the system principal).  Various internal protocols should set
     * this flag.
     */
    const unsigned long URI_DANGEROUS_TO_LOAD = (1<<7);

    /**
     * The URIs for this protocol point to resources that are part of the
     * application's user interface.  There are cases when such resources may
     * be made accessible to untrusted content such as web pages, so this is
     * less restrictive than URI_DANGEROUS_TO_LOAD but more restrictive than
     * URI_LOADABLE_BY_ANYONE.  See the documentation for
     * nsIScriptSecurityManager::CheckLoadURI.
     */
    const unsigned long URI_IS_UI_RESOURCE = (1<<8);

    /**
     * Loading of URIs for this protocol from other origins should only be
     * allowed if those origins should have access to the local filesystem.
     * It's up to the application to decide what origins should have such
     * access.  Protocols like "file" that point to local data should set this
     * flag.
     */
    const unsigned long URI_IS_LOCAL_FILE = (1<<9);

    /**
     * The URIs for this protocol can be loaded only by callers with a
     * principal that subsumes this uri. For example, privileged code and
     * websites that are same origin as this uri.
     */
    const unsigned long URI_LOADABLE_BY_SUBSUMERS = (1<<10);

P.S. Also since Private Tab 0.1.7.1 you can use simple private: prefix.

Infocatcher avatar May 18 '14 10:05 Infocatcher

@nhantrn, I have found some workaround for this problem, described here: https://github.com/Infocatcher/Private_Tab/issues/187#issuecomment-132480958

MurzNN avatar Aug 19 '15 07:08 MurzNN

I can't seem to get GM_openInTab() to work. Any working example available?

Here's what I tried.

var lol = "private://https://youtu.be/uDjwlU6p0y8";
GM_openInTab(lol);

ghost avatar Feb 10 '16 19:02 ghost

I can't seem to get GM_openInTab() to work. Any working example available?

You probably missed @grant GM_openInTab option. Should be something like

// ==UserScript==
// @name        GM_openInTab + private:
// @namespace   dev/null
// @include     https://github.com/*
// @version     0.1
// @grant       GM_openInTab
// ==/UserScript==

var lol = "private:https://youtu.be/uDjwlU6p0y8";
GM_openInTab(lol);

Infocatcher avatar Feb 15 '16 22:02 Infocatcher

Cheers @Infocatcher I used it in this gist, which is related #187 . It overrides the click action for certain links and opens them in a private tab.

ghost avatar Feb 16 '16 13:02 ghost

@LoveIsGrief, thanks for example, I have create project with working Userscript that open links with 'private' html attribute in private tabs, here is the source: https://github.com/Qseo/OpenWithLink

MurzNN avatar Feb 18 '16 12:02 MurzNN