bandwidth-hero icon indicating copy to clipboard operation
bandwidth-hero copied to clipboard

Published 20 hours ago verified publisher icon ayastreb

Firefox: prevent axios HEAD request from downloading entire original image; CSP 'upgrade-insecure-requests' handling with http-only proxies; firefox imageset listener contingent on if proxy is HTTPS

Open changhaitravis opened this issue 5 years ago • 9 comments

Firefox-Only: Fixed HEAD requests downloading the entire original image when scouting the file-size of images on improperly configured webservers (Supposedly this also required Axios get upgraded to the latest version). Accomplished by setting {maxContentLength: 0} as config option.

The change in patchContentSecurity.js in regards to upgrade-insecure-requests should shut the door on #20 as far as CSP goes on http-only proxies, gawker sites (gizmodo/kotaku/io9) are improved, but still don't seem to work right. unwrappedlife.com is fixed.

Once again, I didn't test on chrome, but these are pretty minor changes.

Feel free to let this one linger a bit, since if we figure out what's happening with @Tomatoide's set up I'll push the fix into this pull request assuming it doesn't have to do with the proxy they're using.

changhaitravis avatar Jun 03 '19 02:06 changhaitravis

Okay, this turned out to be a bigger change than I was anticipating. Imageset counts as active-mixed-content in firefox, so I'm only enabling that listener if using bandwidth hero with an HTTPS proxy (I need to write a unit test for that detection module before the TravisCI build will pass)

changhaitravis avatar Jun 03 '19 04:06 changhaitravis

Quick question here as I'm not very knowledgeable in this area: does setting block csp reports in ublock origin affect bandwidth hero in any way?

Tomatoide avatar Jun 03 '19 14:06 Tomatoide

I'm not too familiar with ublock, but this add-on relies heavily on CSP header manipulation to work on many secure websites. So I'd avoid messing with that

changhaitravis avatar Jun 04 '19 01:06 changhaitravis

Bandwidth hero doesn't care about, and isn't affected by CSP Reports.

changhaitravis avatar Jun 04 '19 04:06 changhaitravis

Do not pull, there's some sort of bug that's causing a data drain, I've already maxxed out my data plan in a little over a week, and normally it takes me 3 weeks or so. I'll re-open this pull request after I've identified and fixed it.

changhaitravis avatar Jun 12 '19 15:06 changhaitravis

Is it better to disable the extension for now till this axios bug and the other unidentified data draining bug are fixed? I'm short on data in the upcoming weeks and don't want to risk it

Tomatoide avatar Jun 21 '19 14:06 Tomatoide

data draining bug only happens on my fork of the code. Even without the axios bug fix it would be a net save because it does not affect most websites. I would keep using.

changhaitravis avatar Jun 21 '19 16:06 changhaitravis

I'm 3 days into my billing cycle and it seems normal. I think the encountered data drain was just because it went into an off state due to #23.

changhaitravis avatar Jul 06 '19 01:07 changhaitravis

Note that in issue #23 images don't display at all Edit: yeah it seems like now images are appearing (although uncompressed) unlike the old behavior when issue #23 was first reported, where images would stop appearing at all when the extension stops working.. don't know if this is related to extension changes or newer firefox versions

Tomatoide avatar Jul 07 '19 11:07 Tomatoide