Post Reply 
prox-config-sidki_2019-01-26b1
Sep. 16, 2019, 04:33 PM (This post was last modified: Sep. 16, 2019 04:35 PM by JJoe.)
Post: #17
RE: prox-config-sidki_2019-01-26b1
(Sep. 15, 2019 02:42 AM)thypentacle Wrote:  For issue 2 I think I fixed that one on my end by not using Opera.

I use the new Opera portable.

(Sep. 15, 2019 02:42 AM)thypentacle Wrote:  For issue 3 here's a few that fail loading...

https://community.quirky.com/login
https://discordapp.com/channels/@me
https://www.linkedin.com/in/thyinnovation
https://teams.microsoft.com (sometimes works sometimes doesn't)
https://www.vudu.com/content/movies/free (loads kinda but is missing most of it... may not be related)

Ahh... Filtering will break web sites.
The user is expected to add 'Exceptions' to 'Exceptions-U.ptxt' to regain desired behavior.
However, I'll claim discordapp and teams.microsoft.com.

Depending on which cfg you are using, 'Exceptions-U.ptxt' needs at least:
Code:
##community.quirky.com/login
aws1.discourse-cdn.com/                     $SET(0=a_adjs.a_jsprop.)
#OR
aws1.discourse-cdn.com:                     $SET(0=a_adjs.a_jsprop.)

##www.linkedin.com/
www.linkedin.com/   $SET(0=a_refer.)
#OR
www.linkedin.com:   $SET(0=a_refer.)

##teams.microsoft.com - Not needed, if nonce is removed from the Content-Security-Policy header.
teams.microsoft.com/   $SET(0=i_loc_j:0.)
#OR
teams.microsoft.com:   $SET(0=i_loc_j:0.)

Discordapp's Content-Security-Policy header uses nonce.
Code:
default-src https://local.ptron:8443 'unsafe-inline'  'self';
script-src https://local.ptron:8443 'unsafe-inline'  'self' 'unsafe-eval' 'unsafe-inline'
https://cdn.discordapp.com/animations/ https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/
https://recaptcha.net/recaptcha/ https://js.stripe.com https://js.braintreegateway.com
https://assets.braintreegateway.com https://www.paypalobjects.com https://checkout.paypal.com
'nonce-NjUsMTgzLDEwMywxOTUsMTI5LDMwLDExNyw4MA=='; style-src https://local.ptron:8443
'unsafe-inline'  'self' 'unsafe-inline' https://cdn.discordapp.com; img-src https://local.ptron:8443
'unsafe-inline'  'self' data: https://*.discordapp.net https://*.discordapp.com https://i.scdn.co
https://i.ytimg.com https://i.imgur.com https://*.gyfcat.com https://media.tenor.co
https://media.tenor.com https://*.youtube.com https://*.giphy.com https://static-cdn.jtvnw.net
https://pbs.twimg.com https://assets.braintreegateway.com https://checkout.paypal.com;
font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://status.discordapp.com
https://discordapp.com https://cdn.discordapp.com https://router.discordapp.net wss://*.discord.gg
https://best.discord.media wss://*.discord.media wss://dealer.spotify.com https://api.spotify.com
https://support.discordapp.com https://sentry.io https://api.twitch.tv https://api.stripe.com
https://api.braintreegateway.com https://client-analytics.braintreegateway.com https://origin-analytics-prod.production.braintree-api.com
https://payments.braintree-api.com ws://127.0.0.1:* http://127.0.0.1:*; media-src
'self' blob: https://*.discordapp.net https://*.discordapp.com https://*.youtube.com
https://streamable.com https://vid.me https://*.gfycat.com https://twitter.com https://oddshot.akamaized.net
https://*.giphy.com https://i.imgur.com https://media.tenor.co https://media.tenor.com;
frame-src 'self' discord: https://*.youtube.com https://*.twitch.tv https://open.spotify.com
https://w.soundcloud.com https://sketchfab.com https://player.vimeo.com https://twitter.com
https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/ https://js.stripe.com
https://assets.braintreegateway.com https://checkout.paypal.com https://*.watchanimeattheoffice.com;
child-src 'self' https://assets.braintreegateway.com https://checkout.paypal.com;

'Nonce' causes the browser to ignore our 'unsafe-inline' addition and our inline scripts for discordapp.com/channels/@me.
The simple choice is to bypass the affected pages or add Exceptions for the broken routines.
Another is to remove "nonce' from the header.
Warning: This would also allow malicious scripts without the nonce attribute to run.
Code:
[HTTP headers]
In = TRUE
Out = FALSE
Key = "Content-Security-Policy: Remove nonce and hash 19.09.15     [jjoe] (d.0) (In) [add]"
Match = "(\# '(nonce|sha256)-*')+{1,*}\#"
Replace = "\@"

The better (for our point of view) but more time consuming choice would be to capture the nonce and add it to our rewritten scripts.

discordapp is also using the integrity attribute.
Code:
<script src="/assets/dea071166a0cf8791a1e.js" integrity="sha256-0kdB3V4HCTqbit21e3K2rY7ypJiNdjmjyQ9MFnPJHCI= sha512-EtY9vjf3AHCuuRqOurhkNITyJtCXmfgFQmOCD4w/LbtgvstqFufIiFfTetU24nhw+n1CD//myNXaNa59lT9EQg==">

The browser will reject the script if its hash isn't the integrity attribute's value. A filtered script's hash will not match.
The simple choice is to bypass the affected resources. Wink
Warning: This would also allow malicious files to run.
Code:
[Patterns]
Name = "Script: Remove integrity     19.09.15 (multi) [jjoe] (d.0)`"
Active = TRUE
Multi = TRUE
Bounds = "<script\s*>"
Limit = 512
Match = "\1integrity=$AV(*)\2"
Replace = "\1\2"

Name = "Link: Remove integrity     19.09.15 (multi) [jjoe] (d.0)`"
Active = TRUE
Multi = TRUE
Bounds = "<link\s*>"
Limit = 512
Match = "\1integrity=$AV(*)\2"
Replace = "\1\2"

more to come...
Add Thank You Quote this message in a reply
Post Reply 


Messages In This Thread
prox-config-sidki_2019-01-26b1 - JJoe - Mar. 10, 2019, 05:11 AM
RE: prox-config-sidki_2019-01-26b1 - whenever - Mar. 19, 2019, 06:39 AM
RE: prox-config-sidki_2019-01-26b1 - whenever - Mar. 22, 2019, 02:56 AM
RE: prox-config-sidki_2019-01-26b1 - JJoe - Mar. 22, 2019, 03:50 AM
RE: prox-config-sidki_2019-01-26b1 - whenever - Mar. 22, 2019, 08:49 AM
RE: prox-config-sidki_2019-01-26b1 - JJoe - Mar. 22, 2019, 04:23 PM
RE: prox-config-sidki_2019-01-26b1 - JJoe - Mar. 28, 2019, 02:54 AM
RE: prox-config-sidki_2019-01-26b1 - whenever - Mar. 24, 2019, 09:33 AM
RE: prox-config-sidki_2019-01-26b1 - whenever - Mar. 27, 2019, 01:17 PM
RE: prox-config-sidki_2019-01-26b1 - JJoe - Mar. 28, 2019, 02:31 AM
RE: prox-config-sidki_2019-01-26b1 - whenever - Mar. 28, 2019, 08:18 AM
RE: prox-config-sidki_2019-01-26b1 - JJoe - Sep. 15, 2019, 02:08 AM
RE: prox-config-sidki_2019-01-26b1 - amy - Sep. 16, 2019, 03:18 AM
RE: prox-config-sidki_2019-01-26b1 - JJoe - Sep. 16, 2019 04:33 PM
RE: prox-config-sidki_2019-01-26b1 - mizzmona - Oct. 10, 2019, 09:10 PM
RE: prox-config-sidki_2019-01-26b1 - JJoe - Oct. 11, 2019, 04:21 PM

Forum Jump: