css hide rules created for HTTPS sides do not work for LAN users

Question

css hide rules created for HTTPS sides do not work for LAN users

Closed this issue 7 years ago · 6 comments

ab2p.system.filter contain following rule for element hiding.

cat ab2p.system.filter |grep http
s@.*\sHTTP\/1.*@$&\r\nX-Frame-Options: DENY@i
s@[^'"\s]\s*<head[^>]*>(?=\s*[^'"\s])@$&<link rel="stylesheet" type="text/css" href="http://192.168.101.101:8445/ab2p.common.css"></link><link rel="stylesheet" type="text/css" href="http://192.168.101.101:8445/$host/ab2p.css"></link>@iUD
s@[^'"\s]\s*<head[^>]*>(?=\s*[^'"\s])@$&<link rel="stylesheet" type="text/css" href="http://192.168.101.101:8445/debug/ab2p.common.css"></link><link rel="stylesheet" type="text/css" href="http://192.168.101.101:8445/$host.debug/ab2p.css"></link>@iUD

It works for HTTP sites but does not work for HTTPS sites which got decrypted by MITM for privoxy to filter. It is due to browsers not allowing mixed content for HTTPS sites for targets other than localhost.

I tried preparing local webserver in SSL and switching all 4 links to href="https://192.168.101.101:8445, but it seems not to work either as information about https content is not send to browser at all. It also seems to break regular HTTP sites.

Answer 1 · 2018-05-31T06:25:03.000Z

It is possible to differentiate traffic which comes directly from browsers which always will be HTTP and one one that comes from HTTPS proxy where it is additionally tagged. In my case it is client-header-tagger{tagger4https} than perhaps rules could be changed for them and in case of SSL traffic that should be directed to different port at which the same content gets server just over https?

I use following in privoxy for SSL sites filtering

proxhttpsproxy.action

{ +client-header-tagger{tagger4https} }
/
{ +forward-override{forward 127.0.0.1:8081} }
TAG:.*?ProxHTTPSProxyMII

proxhttpsproxy.filter

CLIENT-HEADER-TAGGER: tagger4https
s@^.*Tagged:.*ProxHTTPSProxyMII.*FrontProxy.*$@$0@i

Answer 2 · 2018-05-31T08:47:35.000Z

As workaround for this problem in Firefox one may set security.mixed_content.block_active_content to false which would allow http content to be served on https sites.

Few things to keep in mind while using this workaround:

ssl icon in the browser would no longer show connection as secure
Firefox ESR 52.8.0 does not work probably due to bug while Firefox 60 does
while it works for most SSL sites still there are those as filmweb.pl or wpolityce.pl for which config.privoxy.org does show element hiding is used, but no information about css file is send to the browser from privoxy for browser to download

Chrome also requires intervention for mixed content to be loaded by the browser. Starting application with google-chrome --allow-running-insecure-content is required.

Opera has own options as well http://help.opera.com/Windows/12.10/en/contentblock.html

Answer 3 · 2018-06-01T18:46:38.000Z

It turns out some sites require more intervention as they establish their own Content Security Policy. In Firefox one needs to set security.csp.enable to false. However turning off all those security policies is never a good idea, therefore fix to script which would direct inquires for local css files to https sites for https content is even more important.

Answer 4 · 2018-06-14T11:23:20.000Z

I’m going to declare that TLS interception is beyond the scope of this a repo because of the inherit security risks and because robust configuration and testing is a time-consuming PITA.

If anyone wishes to fork the repo and get this working and tested themselves, I’ll consider a PR in the future.

Answer 5 · 2018-06-14T14:40:08.000Z

Idea is rather simple. If link is tagged with +client-header-tagger{tagger4https} +filter{ab2p-elemhide-filter} than send it to CSS served over HTTPS

CLIENT-HEADER-TAGGER:tagger4https FILTER: ab2p-elemhide-filter
s@[^'"\s]\s*<head[^>]*>(?=\s*[^'"\s])@$&<link rel="stylesheet" type="text/css" href="https://192.168.101.101:8446/ab2p.common.css"></link><link rel="stylesheet" type="text/css" href="https://192.168.101.101:8446/$host/ab2p.css"></link>@iUD

Otherwise if client-header-tagger{tagger4https} is not specified than serve link to CSS over HTTP as usual.

FILTER: ab2p-elemhide-filter
s@[^'"\s]\s*<head[^>]*>(?=\s*[^'"\s])@$&<link rel="stylesheet" type="text/css" href="http://192.168.101.101:8445/ab2p.common.css"></link><link rel="stylesheet" type="text/css" href="http://192.168.101.101:8445/$host/ab2p.css"></link>@iUD

What is problematic is that privoxy manual does not say it allows double rule on the single line so probably it is not achievable so easily.

Answer 6 · 2018-06-14T17:41:12.000Z

OMG I do not believe it. It was so simple

FILTER: ab2p-elemhide-filter
s@[^'"\s]\s*<head[^>]*>(?=\s*[^'"\s])@$&<link rel="stylesheet" type="text/css" href="http://192.168.101.101:8445/ab2p.common.css"></link><link rel="stylesheet" type="text/css" href="http://192.168.101.101:8445/$host/ab2p.css"></l
s@[^'"\s]\s*<head[^>]*>(?=\s*[^'"\s])@$&<link rel="stylesheet" type="text/css" href="https://192.168.101.101:8446/ab2p.common.css"></link><link rel="stylesheet" type="text/css" href="https://192.168.101.101:8446/$host/ab2p.css"></link>@iUD

It turns out placing both under element hiding works in every scenario without any security tricks in browsers :) Would have to do some testing but I think reason HTTPS broke for HTTP sites is that other browsers did not have local website certificate accepted as it is self signed therefore disregarded https link.
If that would be true than implementation in adlock2privoxy seems very simple. Adding new command line switch eg. -ssl which would for element hidding create https:// link instead of plain http://