Commit Graph

5188 Commits

Author SHA1 Message Date
Raymond Hill ab1b23a398 Update CONTRIBUTING.md 2017-08-30 12:37:18 -04:00
gorhill b5035b2e0b
new release: skip webext-hybrid and go pure webext 2017-08-30 11:18:55 -04:00
gorhill 17d54f6ded
new revision for release candidate 2017-08-30 09:34:12 -04:00
gorhill 126110c9a0
remove ability to pull latest version of resources.txt from remote repo.
This is required as per Firefox extension reviewers. Mail exchange:

========

Reviewer:
> Do I read the code correctly that you are executing remote JS by
> downloading/updating from
> https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/resources.txt
> and injecting scripts in contentscripts.js?

Me:
> Yes, resources.txt contains scriptlets or other resources used to:
>
> - Minimize potential page breakage (e.g. google-analytics.com/ga.js);
> - Defuse anti-blockers (e.g. bab-defuser.js);
> - Defuse anti-blockers or minimize page breakage through redirection
> (e.g. 2x2-transparent.png)
>
> This is not a new feature -- this is also part of the legacy version,
> and I consider this is a major feature of uBO. Given how fast things can
> change out there, this allows me to quickly push fixes when a new issue
> is reported for a site without having to go through a full update of the
> extension.

Reviewer:
> I am aware that this is not a new feature. I am unclear why it has been
> allowed in the past, since it violates our policy about remote code
> execution. I assume it was missed due to the fairly complex codebase.
>
> I can approve this version so you are not blocked on the migration, but
> eventually, you cannot use functionality that executes remote code.
> Since we're moving to a more automated review process, you will be able
> to ship new versions without being blocked on a human review.

Me:
> Do I understand correctly that extensions such as TamperMonkey or
> ViolentMonkey won't be allowed on AMO?
>
> Those extensions are even more permissive than uBO given a user can
> import scripts from any source, while with uBO only scriptlets which are
> part of the project are allowed.

Reviewer:
> The key difference between add-ons like Tampermonkey and uBO is that in
> Tampermonkey, users are making an active and conscious decision to
> download and execute that specific code. In uBO, the user did not
> initiate that download/execution, nor are they even aware of it
> happening.

Me:
> So users of TamperMonkey -- tech-savvy or not -- can download & inject
> countless 3rd-party user scripts from countless authors, have them
> update on their own automatically at regular interval with no user
> intervention.
>
> On the other hand, it's not acceptable for me, the author of the
> extension, who users implicitly trusted when installing the extension,
> who is completely controlling and vouching for the content of
> "resources.txt", to have this one 1st-party resource file[1] to be
> updated at regular interval with no user intervention.
>
> So anyways, what is expected from me at this point? Do I need to remove
> scriptlet injection and resource redirection features? Do I need to
> remove only the updating part of resources.txt?
>
> [1] key to core features of uBO (counter anti-blockers + page breakage
> mitigations) and possibly an important factor in installing the
> extension.

========

Now about this commit: the purpose of the code change here is to
prevent "resources.txt" -- which is part of the package -- from being
updated -- this applies only to the Firefox webext[-hybrid] version
of uBO.
2017-08-30 09:15:06 -04:00
gorhill d165432ded
deal properly with indexedDB not being available (#2925) 2017-08-30 08:41:22 -04:00
gorhill b1842ddf16
new revision for dev build 2017-08-29 18:32:46 -04:00
gorhill beb7933016
fix #2925 2017-08-29 18:32:00 -04:00
gorhill 572aecc517
import indexedDB-based vAPI.cacheStorage as is from d1538ea9be 2017-08-28 15:30:01 -04:00
gorhill fe4c59ec90
new revision for release candidate 2017-08-24 18:30:55 -04:00
gorhill b2e89c9ece
generate better regex for hostname-anchored generic filters 2017-08-24 18:30:05 -04:00
gorhill c31d29c2e3
fix bad test: regression from fdcc9515 2017-08-24 17:54:27 -04:00
gorhill 8758dfc061
fix AMO error: "Legacy add-ons are not compatible with Firefox 57 or higher. Use a maxVersion of 56.* or lower" 2017-08-23 08:02:40 -04:00
gorhill 2f922192c3
fix #2892: set proper minimum version for Opera 2017-08-23 07:27:53 -04:00
gorhill 592d5da490
new release 2017-08-22 23:51:02 -04:00
gorhill 9a64bf2282
translation work from https://crowdin.com/project/ublock 2017-08-22 19:00:53 -04:00
gorhill f72915f5b0
new revision for release candidate 2017-08-22 08:01:52 -04:00
gorhill 06f9ac033f
harden just a bit more the migration code 2017-08-22 08:00:46 -04:00
gorhill c9a5b4c6ac
new revision for release candidate 2017-08-21 12:06:12 -04:00
gorhill 70081dc115
Merge branch 'master' of github.com:gorhill/uBlock 2017-08-21 12:04:55 -04:00
gorhill 63be43a365
shield content script against exceptions in injected scriptlets 2017-08-21 12:04:35 -04:00
Sander Lepik 61c7f86fd2 Switch adblock.ee to HTTPS (#2884)
* Switch adblock.ee to HTTPS

Signed-off-by: Sander Lepik <sander@lepik.eu>

* Undo changes on wrong files

Signed-off-by: Sander Lepik <sander@lepik.eu>
2017-08-18 09:07:41 -04:00
gorhill 213c4e4de8
new revision for release candidate 2017-08-17 09:54:32 -04:00
gorhill a1350b8cff
fix #2882 2017-08-17 09:54:01 -04:00
gorhill 8e064d6b04
new revision for release candidate 2017-08-17 08:35:56 -04:00
gorhill b9f793e06f
translation work from https://crowdin.com/project/ublock 2017-08-17 08:34:00 -04:00
gorhill fdcc9515dc
fix #2029 2017-08-17 08:25:02 -04:00
gorhill d1c752da29
fix bad English in comment 2017-08-16 18:06:04 -04:00
gorhill 22ad39ea4d
new revision for dev build 2017-08-16 15:47:59 -04:00
gorhill 797082a36c
fix #2552 2017-08-16 14:10:41 -04:00
gorhill 5f72565f7a
fix #2873 2017-08-15 09:09:16 -04:00
Raymond Hill 1bda3a1cc3 Update README.md 2017-08-14 08:38:13 -04:00
gorhill 4a319d7a26
new revision for release candidate 2017-08-13 08:43:20 -04:00
gorhill d2af82bdbf
set proper min-max versions for Firefox 2017-08-13 08:25:07 -04:00
gorhill 655b0e491b
no reason to hold back: release candidate 2017-08-12 14:49:50 -04:00
gorhill 92c6d0fc33
new revision for dev build 2017-08-12 14:39:48 -04:00
gorhill 0e078e536d
eliminate validation warning on AMO: avoid innerHTML 2017-08-11 14:26:15 -04:00
Mike Tzou 0f9cd6c8c4 README.md: use crowdin svg icon (#2857) 2017-08-11 01:35:28 -04:00
gorhill ccc4324583
fix non-dev build versioning 2017-08-11 00:41:53 -04:00
gorhill 502dd89d53
fix AMO validation warning re. invalid CSS 2017-08-10 18:55:36 -04:00
gorhill 04057d40ea
fix #2855 2017-08-10 18:50:23 -04:00
gorhill 78d61eba86
new revision for dev build 2017-08-10 18:36:58 -04:00
gorhill 04718be3fd
translation work from https://crowdin.com/project/ublock 2017-08-09 10:52:27 -04:00
Raymond Hill 90470414e8 Update CONTRIBUTING.md 2017-08-08 19:02:44 -04:00
gorhill 3a1113b768
new revision for dev build 2017-08-08 13:40:00 -04:00
gorhill 7291227a64
fix #2836 2017-08-08 11:08:18 -04:00
gorhill faca2718fa
set FF56 as max version compatible with legacy version of uBO 2017-08-08 10:56:53 -04:00
gorhill c006167c65
new revision for dev build 2017-08-05 10:05:56 -04:00
gorhill af0b1b3db0
fix #2799 (uBO side), as per https://bugzilla.mozilla.org/show_bug.cgi?id=1383064#c4 2017-08-05 10:01:59 -04:00
gorhill 61a538e9f2
fix #2843: do not auto open dashboard on Firefox 2017-08-05 09:50:21 -04:00
gorhill dd2d15e36b
new revision for dev build 2017-08-04 18:31:30 -04:00