******************************************************************************* Change Log ******************************************************************************* February 13th 2009 User Interface: Those filters that intercept automatic redirects by turning them into links, hence require user interaction, are inactive now in the config's Standard Mode (but active in Advanced Mode and above). Technical: Adjustments in browser-sensitive code, in order to handle new browser versions (incl. Google Chrome). Content: Filter additions and updates to deal with recent trends: more dynamic content, increasing popularity of XML, more sophisticated user tracking methods. Cut back - or improve - the most troublesome (i.e., heuristic) filters. Various scattered changes. Welcome Kye-U (Google filters) and ProxRocks (Yahoo filters) to the club! September 9th 2007 Due to lack of time (and bad memory ;-) i'm skipping the usual detailed change log. Instead, i'll focus on a few changes that require some explanation. UW CSE ( http://www.cs.washington.edu/research/security.intro.html ) and ICSI ( http://www.icsi.berkeley.edu/ ) have discovered a vulnerability in this config set. Thanks Charles Reis for informing and helping. Once this vulnerability is disclosed publicly, you can safely assume that someone *will* try to exploit it. So, update your config sets! Apparently, Firefox (starting with v2.0.0.4?) is now trying to guess a missing document character set too, instead of falling back to iso-8859-1 as previously. For me this sometimes works, but mostly goes wrong. So, this config is adding "charset=iso-8859-1" for such incomplete documents in IE (explained earlier) and Gecko browsers. I've improved the respective filter a bit and turned off the charset fix in the config's minimal mode. Also, there's a new config control switch: "Don't add Charset Info if missing". As a consequence, the IncludeExclude keyword for skipping charset addition has changed from "a_charset" to "i_char:0". ("a_code" covers it too.) The CSS rules in proxcss-links.css that deal with Henrik Gemal's CSS exploit have started to break too many pages. If you want that protection, activate the new "CSS Fix: Visited Links" webfilter. (As previously, also uncheck the "2.1 Never alter Page/Link Styles" header switch.) June 2nd 2007 User Interface: Web config control: Some simplifications and additions (incl. interception of event listeners). Proxomitron menu: "DOM Source" supports syntax highlighting. Google: New themes. Integration of some "Google Experimental" features. CastleCops: New filter: "Auto Login". Script Blocking: Generic script blocking is subsumed under one header control category. Three levels: all scripts, all third party scripts, specific third party scripts. New filter that scans for certain tracking modules in external scripts. New list "AdHosts-J", containing common hosts for external (ad, tracking, resource hog) scripts, inserting dummy functions if required. Security: Numerous additions - mainly to already existing filters/lists - to cover current in-the-wild exploits. ClassIDs list uncoupled from - meanwhile stale - master lists (now based on a scan of ~20K stopbadware.org sites). Local Connections: Proxomitron's own stylesheets get concatenated by a filter to a single file. The mix depends on browser, config mode, chosen config-control settings, and connection response. If supported by the browser, small local files don't get requested as external resource, but are encoded in "data:" URIs. Technical: Work-around for IE7's Dot security, which blocks Proxomitron's ".." URL commands. Integrated into the config's Half-SSL option. For manual use like in bookmarklets, use e.g. "http://px.src-px-." instead of "http://px.src.." Flash toggler doesn't preload files in IE anymore. Also, you should always get the direct link to the Flash now, instead of "about:blank" for scripted Flash previously. Data and functions for the Proxomitron menu moved to a separate file, "proxjs-x-menu.js", which only gets loaded on demand (first left-click on a non-link element). Proxomitron's files aren't injected anymore into documents that identify as AJAX includes (Prototype/jQuery/mootools scripts add an "x-requested-with" header). Various bugfixes, additions, removals, and improvements. September 3rd 2006 User Options, Interface, Help: Added switch for Advanced Mode, "Sel. Mouse Events to Buttons" (see comment inside filter for details). Generally, Advanced Mode got tighter, while Normal Mode got a bit laxer. Third Party iFrames aren't blocked anymore but converted to toggles: You can load an individual frame inline or in the top window, or load/unload all frames at once. Also note the "iFrame Toggle: Extend to Onsite URLs" config switch. "setTimeout" timers are now allowed for the first 5-15 seconds after page load. Then the usual timer button will appear, unless you click on the page within that time. This fixes problems with popular Web2 sites like netvibes, protopage, start.com, and allows you to override interception in cases where the timer button can't be displayed (e.g. news.bbc.co.uk). "AdKeys-S" can now optionally replace removed tags with dummy blocks (see header comment for details). You can send any user-agent string via IncludeExclude-U. However, in most cases you may want to stick to the usual, ready-made fake strings (see respective list section for details). Both, the general and the user IncludeExclude list use the same format now. If you want to add entries from your old IncludeExclude-U.ptxt, please replace "$SET(keyword=$GET(keyword)" with "$SET(0=", and "$SET(flag=$GET(flag)" with "$SET(1=", respectively. Finished help file for Proxomitron menu (Prox_Menu.txt). Added "Window Handling" and "Ads" sections to documentation of Config Control options (Config_Control.txt). Proxomitron Menu: "Toggle 'xxx' CSS" (and Style Selector) enabled for Opera 9 too. "Show 'xxx' Script(s)": Rewritten to work in IE and Opera as well, and to also show blocked inline and external scripts (labeled as "Blocked"). Make sure to read the respective section in Prox_menu.txt if you intend to use this. "JS Variables" and "Classes & IDs" don't show Proxomitron's own additions anymore, unless while in Debug Mode. Script Blocking: Two new filters that check incoming scripts for signatures of popular tracking companies, block them on match, and insert dummy functions if needed to keep the main document parsed correctly. New list "AdPaths-J" that contains common paths of external tracking scripts, again inserting dummy functions if need be. Added extra routines to "Remove: Ad Scripts - Noscript", killing script groups with noscript blocks that contain either webbugs or off-domain iframes. "AdKeys" split into "AdKeys" and "AdKeys-J", latter containing keywords just used in scripts. You can block JS functions per site and name via IncludeExclude-U. "Block: Third Party Scripts" updated and reintroduced (upon request - off by default). Notes: Please don't modify the "BypassURL" entry in Proxomitron's settings, as most of above would probably break. There's a new bottom flyover, "js in", showing info about blocked incoming scripts, if any. Technical: Each browser gets its own secondary CSS, this should also help keeping Opera 9's new error console clean from Prox entries. Flash toggler rewritten to catch most (but not all) recently appearing scripted Flash. The left "Toggle" part should always work, while the right "Flash" part will now load "about:blank" in cases where the Flash URL can't be extracted. Proxomitron script rewritten, in order to keep Prox variables out of the top namespace and remove bottlenecks (like "eval"). Filters and script modified to better work with strict XHTML, as well as delayed loading of page content (AJAX). Tightened filtering of cookie content (see CookieValues list). AdHosts/AdDomains synced with pgl's Hosts file. Remaining ad lists updated and verified. Various bugfixes and improvements. March 5th 2006 User Options: You can choose between five Config Modes: Minimal, Light, Standard, Advanced, and Debug (see "Config_Control.txt"). You may also assign a certain mode to a specific site. You can limit animated GIFs to a few loops instead of freezing them (see the ReadMe's "Installation"). You can insert site-specific user scripts via IncludeExclude-U. Proxomitron Menu: The number of page styles (IE & Gecko only) and scripts (all three browsers) are shown as a menu item or header. An "All Scripts" link displays all page scripts in a single window (Gecko only). JavaScript Shell upgraded to version 1.4 (works in all three browsers again). The Config Mode can be switched from within the menu, too. The menu icon (as well as the informational flyover links) is now suppressed in small frames and iframes, unless you're in Debug Mode. Ads, Cookies, Annoyances, Security: Incoming ad scripts which made it past the webfilters get blocked. Also scan stylesheets for ad strings (WIP). All ad lists updated and verified. Quick-tests for limiting individual entries - to match only on certain conditions - extended (explained in the list's header comment). Session-only cookie filters now also cover "max-age" cookies. Cookies with expiration dates in the past (IOW, cookie removals) aren't altered anymore. Timers are intercepted with a button if they start unrequested, instead of looking at their function names as previously. Scripted resizing of the main window is always blocked by default, whereas requested popups are allowed to resize themselves. Look if docs that come with an "image" content-type aren't something else (filtering "GIFs" needs to be activated by the user tho, see the ReadMe's "Installation"). Also add "pl", "wmf", "xml" to "Sniff content" list. Proxomitron's URL commands get removed from JS "location" properties. Technical: New list "Content-Types.ptxt" that acts upon the incoming content-type and fixes common notation errors. Nested open tags aren't counted anymore. Instead, they are closed with a JS function at the end of page (by checking the DOM tree; open tags may prevent the browser from parsing our own insertions). Pages are prevented from accessing our own stylesheets. Fixes for IE's "can't execute code from a freed script" error on pages with complex charcodes. Just a basic Proxomitron script gets inserted for old browsers and in Minimal Mode. Inserted Proxomitron stylesheets depend on browser and chosen Config Control options as well. Various bugfixes and improvements. June 9th 2005 Small external ad scripts aren't broken anymore, but their content is replaced. New level-3 filters: ": Jump out of Ad Frames" and "
Remove: Ad Sources". (Disabled while using "Light Settings".) Blocking of images and Flash objects that contain the controversial string "banner" in their path has become a bit more aggressive. However, it can be turned off by unticking the new option "Block Off- Domain Banners" (or amplified by selecting "Block On-Domain Banners"). Proxomitron menu: A third "Session" button temporarily changes selected config options, until it is pressed again without having selected anything or the config is reloaded. Hitting "Go" without checking any options now strips all keywords from the URL. "Popularity" link replaces former "Link To" (see Prox_Menu.txt). Javascript Shell upgraded to version 1.3 for Mozilla/Opera (IE still gets v1.1 due to a bug in v1.2/1.3). Window handling: Some more options added. Fix for requested popups that need to load an unrequested popup in order to work. Fix for "JS Links to normal Links" filter to suppress window resizing when opening converted links. AdComments.ptxt: Obsolete entries removed, new entries added, generic rules rewritten (just one unhashed entry left). Count.ptxt: Rewritten to no longer user recursive calls and to not show up in the log window - by Mike/z12, Mona, and me. Caching header filters improved - by Mike/z12 and me. Malware ClassID filters: Also match chopped IDs (example: http://www.mt-download.com/mtrslib2.js ). Keycodes changed to work better with Firefox and Opera (see Abbreviations.txt). The content of XML documents that don't come with the correct content- type is sniffed, and protected from filtering if it's not (X)HTML. Redirects from images, CSS, JS with standard extensions to documents with non-standard extensions (i.e. some sort of 404 error pages) are killed now - they tend to slow down page loading (real 404s get killed as well). The old AdKeys.ptxt was merged into AdList.ptxt, thus reducing the previous AdKeys -> AdList -> AdHosts/AdDomains/AdPaths chain by one link. The previous AdStrings.ptxt in turn is now called AdKeys.ptxt. If you know the class/ID/name of a tag block that you want to see removed on a specific site, you can add it to AdKeys-S.ptxt. This list is scanned by the "Remove: Ad Containers on sel. Sites" webfilter. Various bugfixes and improvements. April 2nd 2005 Rewrite of the "heavy duty" Ad Links filter. Other ad-blocking filters changed as well, mostly regarding speed and preserving of page layout. IP cookies are not killed anymore, but their value gets replaced with a random US IP address. This is to get around server-side request blocking (e.g. at hostultra memberpages). Cut down on site specific filters and IncludeExclude entries (obsolete, rarely used, or handled by general filters now). Webbug filter changed to not break DHTML menus that depend on positional GIFs. Fly-over function changed to not disrupt page layout in IE while in standards-compliant mode. Some sort of failure protection (don't break page, if something goes wrong) added to a few filters. "window.resizeTo" and "window.moveTo" are intercepted now and blocked, if the request was fullscreen. You'll see a notification at the bottom of the page, if a resize attempt was blocked or allowed. Yahoo/Google filters adjusted to changed layout. Ad and security lists updated. Format of Ad Dimension list changed to also match escaped quotes. Javascript Shell (Proxomitron menu) upgraded to version 1.1. New document, "Prox_Menu.txt" - Work in Progress. Various bugfixes and little enhancements. February 22th 2005 New "Config Control" document, still work in progress, but already explains the most important options. URL commands launched internally or from the Prox menu don't show up as "subdomain" anymore (except Half-SSL "http://https.." links). This is to avoid problems with hostname specific cookies and to prevent sending the personal URL command prefix to the server while using the "bypass.." command. Several additions for the "Debug Mode" switch. Added Webfilter subsection "Possible Exploits" with a couple of filters (off by default). New user list "IncludeExclude-U". Site-specific keywords added here get appended to those already set in "IncludeExclude". "Half-SSL" got its own config control switch (defaults to off). Modifications to the original page layout, like dimming white backgrounds, increasing small fonts, protocol dependent link styles, etc., can be switched on/off with a new "Allow Page Layout Changes" config control option. Various bugfixes and little enhancements. December 28th 2004 Bugfixed release version. December 15th 2004 Public pre-release. Added "Half-SSL", based on filters by Scott, JarC, and JJoe. It circumvents re-encrypting of documents after filtering, and alert messages in Mozilla and Opera. SSLeay32.dll and Libeay32.dll are now required. Selecting "Use SSLeay/OpenSSL" under Options is still optional tho. Changed handling of headers related to caching (see "Cache Handling" section in the ReadMe). Note that these headers get filtered for local.ptron files as well. Also note that CTRL-Refresh forces a fresh copy now in *all* browsers. Ad lists rebuilt from scratch. "AliasList" and "AliasJump" got merged with "IncludeExclude". Please copy your existing custom aliases and redirects to that list. Proxy spoofing. It "hides" your real IP address from websites by pretending that your computer is a proxy server, forwarding requests for another IP address. Based on JakBeNymble's filters. The "other" IP is one out of a bunch of US IPs that will be constant per domain until Proxomitron is restarted. By default only enabled for selected sites. For permanent spoofing activate the "Set Flag: Proxy Spoofing by Default" header filter. Timers ("setInterval" and certain "setTimeout" functions) are now intercepted and displayed as start/stop buttons in Gecko browsers and Opera or ordinary links in IE, respectively. New - relatively positioned - Proxomitron menu (appears lower right on mouse click) Reactivation of the ": JS Hrefs to Link" filter which became acceptable with the new clickable flyover. April 11th 2004 First release version. A "clickable flyover" function, currently only used for the ": URL Untangler" filter and the event buttons. More to come. March 8th 2004 First public beta. New site-specific filters. February 8th 2004 You can apply user stylesheets. Scott's page - http://www.geocities.com/srl_list/index.html - is styled as an example. Three W3C Core Styles are included -- See IncludeExclude.ptxt -> "use a local stylesheet". November 19th 2003 First version that is actually usable for other people than me :-). Adopted Mona's config layout. External scripts and stylesheets with non-standard extensions, that are called from web pages are written to temporary lists to make sure that they are requested with the proper Content-Type. *EOF*