******************************************************************************* Change Log ******************************************************************************* October 23rd 2010 User Interface: You can remove specific comment-blocks on given pages via the Exceptions-U list. Proxomitron menu: "Show 'xxx' CSS" allows you to view all inline and external styles of a page (initial code by ddandyy). BabelFish translation service replaced with Bing, which features automatic language recognition (like Google). Defunct Whois service replaced. Privacy: 3rd party and image cookies are blocked by default. (This feature is already part of the June 6th 2009 update for the last config version.) Technical: "application/xhtml+xml" is filtered as is. (Previously this content- type was changed to "text/html".) Filters and Proxomitron scripts have been updated to properly handle (much stricter) XHTML. As a consequence, embedded XML applications like MathML should now display properly in standard-compliant browsers. The config was tested on various Linux flavors, and adjusted for platform specific characteristics and non-Windows browsers. Lists: IncludeExclude and IncludeExclude-U are renamed to Exceptions and Exceptions-U respectively. AdHosts-J (used to scan script sources for unwanted hosts) has been massively extended. Bypass-SSL is a new list, containing secure sites, where Proxomitron should go into SSL-bypass mode right from the beginning. Documentation: 43unite has written "Prox_on_Linux.txt", a how-to for setting up Proxomitron on Linux. whenever has written "Page_Info.txt", an overview of informational page elements inserted by Proxomitron. JJoe added a chapter to "Techniques.txt", about working around an issue with using positional variables directly after negated sub-expressions. (All config filters containing the potentially troublesome expression pattern have been updated with the recommended notation.) The ReadMe's "Installation" chapter is now hopefully a little easier to understand for Proxomitron beginners. As always: Various bugfixes, additions, removals, improvements, enhancements, and too little time. February 13th 2009 User Interface: Those filters that intercept automatic redirects by turning them into links, hence require user interaction, are inactive now in the config's Standard Mode (but active in Advanced Mode and above). Technical: Adjustments in browser-sensitive code, in order to handle new browser versions (incl. Google Chrome). Content: Filter additions and updates to deal with recent trends: more dynamic content, increasing popularity of XML, more sophisticated user tracking methods. Cut back - or improve - the most troublesome (i.e., heuristic) filters. Various scattered changes. Welcome Kye-U (Google filters) and ProxRocks (Yahoo filters) to the club! September 9th 2007 Due to lack of time (and bad memory ;-) i'm skipping the usual detailed change log. Instead, i'll focus on a few changes that require some explanation. UW CSE ( http://www.cs.washington.edu/research/security.intro.html ) and ICSI ( http://www.icsi.berkeley.edu/ ) have discovered a vulnerability in this config set. Thanks Charles Reis for informing and helping. Once this vulnerability is disclosed publicly, you can safely assume that someone *will* try to exploit it. So, update your config sets! Apparently, Firefox (starting with v2.0.0.4?) is now trying to guess a missing document character set too, instead of falling back to iso-8859-1 as previously. For me this sometimes works, but mostly goes wrong. So, this config is adding "charset=iso-8859-1" for such incomplete documents in IE (explained earlier) and Gecko browsers. I've improved the respective filter a bit and turned off the charset fix in the config's minimal mode. Also, there's a new config control switch: "Don't add Charset Info if missing". As a consequence, the IncludeExclude keyword for skipping charset addition has changed from "a_charset" to "i_char:0". ("a_code" covers it too.) The CSS rules in proxcss-links.css that deal with Henrik Gemal's CSS exploit have started to break too many pages. If you want that protection, activate the new "CSS Fix: Visited Links" webfilter. (As previously, also uncheck the "2.1 Never alter Page/Link Styles" header switch.) June 2nd 2007 User Interface: Web config control: Some simplifications and additions (incl. interception of event listeners). Proxomitron menu: "DOM Source" supports syntax highlighting. Google: New themes. Integration of some "Google Experimental" features. CastleCops: New filter: "Auto Login". Script Blocking: Generic script blocking is subsumed under one header control category. Three levels: all scripts, all third party scripts, specific third party scripts. New filter that scans for certain tracking modules in external scripts. New list "AdHosts-J", containing common hosts for external (ad, tracking, resource hog) scripts, inserting dummy functions if required. Security: Numerous additions - mainly to already existing filters/lists - to cover current in-the-wild exploits. ClassIDs list uncoupled from - meanwhile stale - master lists (now based on a scan of ~20K stopbadware.org sites). Local Connections: Proxomitron's own stylesheets get concatenated by a filter to a single file. The mix depends on browser, config mode, chosen config-control settings, and connection response. If supported by the browser, small local files don't get requested as external resource, but are encoded in "data:" URIs. Technical: Work-around for IE7's Dot security, which blocks Proxomitron's ".." URL commands. Integrated into the config's Half-SSL option. For manual use like in bookmarklets, use e.g. "http://px.src-px-." instead of "http://px.src.." Flash toggler doesn't preload files in IE anymore. Also, you should always get the direct link to the Flash now, instead of "about:blank" for scripted Flash previously. Data and functions for the Proxomitron menu moved to a separate file, "proxjs-x-menu.js", which only gets loaded on demand (first left-click on a non-link element). Proxomitron's files aren't injected anymore into documents that identify as AJAX includes (Prototype/jQuery/mootools scripts add an "x-requested-with" header). Various bugfixes, additions, removals, and improvements. September 3rd 2006 User Options, Interface, Help: Added switch for Advanced Mode, "Sel. Mouse Events to Buttons" (see comment inside filter for details). Generally, Advanced Mode got tighter, while Normal Mode got a bit laxer. Third Party iFrames aren't blocked anymore but converted to toggles: You can load an individual frame inline or in the top window, or load/unload all frames at once. Also note the "iFrame Toggle: Extend to Onsite URLs" config switch. "setTimeout" timers are now allowed for the first 5-15 seconds after page load. Then the usual timer button will appear, unless you click on the page within that time. This fixes problems with popular Web2 sites like netvibes, protopage, start.com, and allows you to override interception in cases where the timer button can't be displayed (e.g. news.bbc.co.uk). "AdKeys-S" can now optionally replace removed tags with dummy blocks (see header comment for details). You can send any user-agent string via IncludeExclude-U. However, in most cases you may want to stick to the usual, ready-made fake strings (see respective list section for details). Both, the general and the user IncludeExclude list use the same format now. If you want to add entries from your old IncludeExclude-U.ptxt, please replace "$SET(keyword=$GET(keyword)" with "$SET(0=", and "$SET(flag=$GET(flag)" with "$SET(1=", respectively. Finished help file for Proxomitron menu (Prox_Menu.txt). Added "Window Handling" and "Ads" sections to documentation of Config Control options (Config_Control.txt). Proxomitron Menu: "Toggle 'xxx' CSS" (and Style Selector) enabled for Opera 9 too. "Show 'xxx' Script(s)": Rewritten to work in IE and Opera as well, and to also show blocked inline and external scripts (labeled as "Blocked"). Make sure to read the respective section in Prox_menu.txt if you intend to use this. "JS Variables" and "Classes & IDs" don't show Proxomitron's own additions anymore, unless while in Debug Mode. Script Blocking: Two new filters that check incoming scripts for signatures of popular tracking companies, block them on match, and insert dummy functions if needed to keep the main document parsed correctly. New list "AdPaths-J" that contains common paths of external tracking scripts, again inserting dummy functions if need be. Added extra routines to "Remove: Ad Scripts - Noscript", killing script groups with noscript blocks that contain either webbugs or off-domain iframes. "AdKeys" split into "AdKeys" and "AdKeys-J", latter containing keywords just used in scripts. You can block JS functions per site and name via IncludeExclude-U. "Block: Third Party Scripts" updated and reintroduced (upon request - off by default). Notes: Please don't modify the "BypassURL" entry in Proxomitron's settings, as most of above would probably break. There's a new bottom flyover, "js in", showing info about blocked incoming scripts, if any. Technical: Each browser gets its own secondary CSS, this should also help keeping Opera 9's new error console clean from Prox entries. Flash toggler rewritten to catch most (but not all) recently appearing scripted Flash. The left "Toggle" part should always work, while the right "Flash" part will now load "about:blank" in cases where the Flash URL can't be extracted. Proxomitron script rewritten, in order to keep Prox variables out of the top namespace and remove bottlenecks (like "eval"). Filters and script modified to better work with strict XHTML, as well as delayed loading of page content (AJAX). Tightened filtering of cookie content (see CookieValues list). AdHosts/AdDomains synced with pgl's Hosts file. Remaining ad lists updated and verified. Various bugfixes and improvements. March 5th 2006 User Options: You can choose between five Config Modes: Minimal, Light, Standard, Advanced, and Debug (see "Config_Control.txt"). You may also assign a certain mode to a specific site. You can limit animated GIFs to a few loops instead of freezing them (see the ReadMe's "Installation"). You can insert site-specific user scripts via IncludeExclude-U. Proxomitron Menu: The number of page styles (IE & Gecko only) and scripts (all three browsers) are shown as a menu item or header. An "All Scripts" link displays all page scripts in a single window (Gecko only). JavaScript Shell upgraded to version 1.4 (works in all three browsers again). The Config Mode can be switched from within the menu, too. The menu icon (as well as the informational flyover links) is now suppressed in small frames and iframes, unless you're in Debug Mode. Ads, Cookies, Annoyances, Security: Incoming ad scripts which made it past the webfilters get blocked. Also scan stylesheets for ad strings (WIP). All ad lists updated and verified. Quick-tests for limiting individual entries - to match only on certain conditions - extended (explained in the list's header comment). Session-only cookie filters now also cover "max-age" cookies. Cookies with expiration dates in the past (IOW, cookie removals) aren't altered anymore. Timers are intercepted with a button if they start unrequested, instead of looking at their function names as previously. Scripted resizing of the main window is always blocked by default, whereas requested popups are allowed to resize themselves. Look if docs that come with an "image" content-type aren't something else (filtering "GIFs" needs to be activated by the user tho, see the ReadMe's "Installation"). Also add "pl", "wmf", "xml" to "Sniff content" list. Proxomitron's URL commands get removed from JS "location" properties. Technical: New list "Content-Types.ptxt" that acts upon the incoming content-type and fixes common notation errors. Nested open tags aren't counted anymore. Instead, they are closed with a JS function at the end of page (by checking the DOM tree; open tags may prevent the browser from parsing our own insertions). Pages are prevented from accessing our own stylesheets. Fixes for IE's "can't execute code from a freed script" error on pages with complex charcodes. Just a basic Proxomitron script gets inserted for old browsers and in Minimal Mode. Inserted Proxomitron stylesheets depend on browser and chosen Config Control options as well. Various bugfixes and improvements. June 9th 2005 Small external ad scripts aren't broken anymore, but their content is replaced. New level-3 filters: "