v1.0.7.16 BETA - Help Test!

[andryou]

What's changed from v1.0.7.15 to aid in beta testing:

• Added Spoof Timezone - spoof or randomize your timezone; useful if you use VPN (disabled by default)
• Added Remove Google Analytics (UTM) Tracking option (under Privacy Settings) - remove Google Analytics (UTM) tracking tokens before they're actually passed to the server (disabled by default)
• Added option under User-Agent Spoof to apply spoofing to whitelisted domains as well (default behavior: bypass spoofing on whitelisted domains to avoid issues)
• Anti-Fingerprinting code consolidation (this means all fingerprinting options should also be tested)

Instructions on how to Beta Test:

1. Download the v1.0.7.16 BETA: https://github.com/andryou/scriptsafe/archive/v1.0.7.16_beta.zip
2. Extract the ZIP file to its own folder anywhere on your computer
3. Copy and paste chrome://extensions into your browser address bar and press Enter
4. Make sure you have disabled the Chrome Web Store version of ScriptSafe (ID: oiigbmnaadbkfbmpbfijlflahbdbdgdf)
   • Note: you may want to save a copy of your existing ScriptSafe settings at this point (see https://www.andryou.com/scriptsafe/frequently-asked-questions/#backup)
5. Enable “Developer Mode“
6. Click on Load unpacked extension, navigate to the folder you extracted ScriptSafe to in step Scriptsafe not Google friendly #2 and click on OK
7. Restore your existing ScriptSafe settings: https://www.andryou.com/scriptsafe/frequently-asked-questions/#restore

Some Test Sites:

• Timezone: http://www.w3schools.com/jsref/jsref_gettimezoneoffset.asp
• Google Analytics (UTM) Tracking Removal: http://blog.hubspot.com/9-reasons-you-cant-resist-list?utm_campaign=blogpost&utm_medium=social&utm_source=facebook&nonutmattribute=thisshouldnotberemoved
  • Note: non-UTM parameters in the URL should not be removed. In the above link I've included one.
• User-Agent Spoofing even on whitelisted domains: http://www.whoishostingthis.com/tools/user-agent/

Any feedback/issues, please add it as a comment here or reply to my email I sent to all beta testers. If everything looks good, please let me know as well!

Thank you!

[benkhouya]

Feedback # 1 -- Updated

• Chrome is crashed few times after I enabled this beta, I don't know why.
• Timezone spoof works perfectly !

I've tested by changing my local timezone to the timezone of my VPN ! You can test here : https://www.doileak.com/

• UTM tracking removal works fine but interferes with HTTPS Everywhere, when HTTPS Everywhere tries to redirect to https, ScriptSafe remove utm and ignore the redirection of HTTPS Everywhere, you can reproduce with the link http://blog.hubspot.com/9-reasons-you-cant-resist-list?utm_campaign=blogpost&utm_medium=social&utm_source=facebook&nonutmattribute=thisshouldnotberemoved
• Some tracking tags are not filtred like:

#utm_source=feed
#xtor=RSS-1 ← Used by AT Internet Analytics

Examples:
www.fredzone.org/ce-developpeur-avait-automatise-son-boulot-pendant-six-ans-664#utm_source=feed
www.zdnet.fr/actualites/le-createur-autoproclame-du-bitcoin-multiplie-les-brevets-39838618.htm#xtor=RSS-1

Best regards

[benkhouya]

Feedback # 2 -- Updated

• Timezone spoofing breaks gmail message editor when I try to reply to an email.

[gameb0y]

thanks but Screen resolution spoofing ?

[benkhouya]

@gameb0y I think the spoofing of screen resolution it will break (probably) the display of the responsive websites.

[andryou]

@gameb0y I just did various tests and sadly it seems Chrome does not support screen resolution spoofing

[gameb0y]

https://translate.google.com not working, i cant translate any word beacuse I cant select any languages

[gameb0y]

@andryou: add to Block screen resolution option?

[andryou]

@benkhouya thank you for the heads up about the usage of the hash instead of parameter! I'll address this (source: https://developers.google.com/analytics/devguides/collection/gajs/methods/gaJSApiCampaignTracking?csw=1#_gat.GA_Tracker_._setAllowAnchor). I've updated the code so that when the Remove Google Analytics Tracking option is enabled, it will handle both parameter and hash methods.

Perhaps I will add an additional option named "Remove hashes that contain an = sign" to address non-Google Analytics tracking? My reasoning is that an equal sign is a tell-tale sign of a tracking token.

EDIT: I've created a new option on my local machine - Remove Possible Hash Tracking (Default: disabled; remove possible tracking tokens passed using hash, passing in an attribute and value (e.g. #xtor=RSS-1)). I'll likely release a second beta after this first round of testing.

For Gmail not working, can you let me know what you see under the Blocked Items list in the ScriptSafe panel? I might need to add a disclaimer near the timezone spoofing option that it may break Gmail.

As well, that note about Chrome crashing is concerning; please let me know if you see it happen again.

@gameb0y about Google Translate, it seems to be working fine for me, can you let me know what you see as being blocked in the ScriptSafe panel when you're on Google Translate?

As I mentioned, unfortunately the library of screen.* values seems to be read-only or native. I'll continue to see if there's a workaround when I have spare time, but it does not seem to be promising (as it isn't affected by the methods implemented to provide the fingerprinting spoofing)..

[gameb0y]

[andryou]

@gameb0y I notice you're on v1.0.7.15, can you try out the v1.0.7.16 beta if possible? Thank you :) (instructions are in the first post on this page)

[gameb0y]

v1.0.7.16 beta tested. no problem, working. thank you Andry

[gameb0y]

timezone spoofing not working :/ https://whoer.net/

[andryou]

@gameb0y the "Spoof Timezone" option in ScriptSafe spoofs only the getTimezoneOffset() method, but not the getTime() method. It's to protect proxy/VPN users against sites that try to tell if they're using a proxy or not (e.g. https://www.doileak.com/). Actually it seems like that site detects your timezone via a server-side method, and does a comparison with client-side Javascript, and uses the server-side value as a fall-back if there's a mismatch.

Here's another test site: http://www.w3schools.com/jsref/jsref_gettimezoneoffset.asp

[joedoee]

Hi,
Just signed on to report that scriptsafe breaks Vivaldi. I tried versions v1.0.7.15 and this latest beta 16 as well. Vivaldi can't start from double click on desktop (or on vivaldi.exe even in admin mode) BUT it starts in sandboxie without problem (original version out of sandboxie can't start at all - repairing installation doesn't help just thoroughly cleaning of everything and complete reinstall of Vivaldi helps and again when I install scriptsafe it did the same again - not working except in sandboxie. When I searched my C disk for oiigbmnaadbkfb... and delete all traces of it then Vivaldi starts normally without needs for deinstall / reinstall.

Thanks

[andryou]

@joedoee thank you for registering to report the issue. What version of Vivaldi are you running and on what operating system? I just installed the latest (1.2.490.43) on Windows 7 (64-bit), and I have no issues running this beta.

I did run Vivaldi for a while last month, but switched back to Chrome as it was buggy and lacked extension support (e.g. browser/page action icons) but I understand development is active.

[benkhouya]

Gmail & Timezone Spoofing

• When timezone spoofing is enabled I can't reply to any email, but I can write a new email.
• When I disable timezone spoofing in ScriptSafe I can reply to any email.

Here is the blocked Items in Gmail.

Whoer bypass Timezone Spoofing

• Probably using TimeUtil in Java (server side) + JS code (client side) :

function check_time_difference(opts){var dts=new Date();var zt=dts.toString();$(opts['js_time_container']).html(zt);var system_ts=(Math.round(dts.getTime()/ 1000)
+((dts.getTimezoneOffset()*60)*(-1)));var local_ts=opts['local_timestamp'];var ts_diff=Math.abs(system_ts- local_ts);var local_zone=opts['local_timezone'];var mismatched=0;try{var zonez=/(GMT|UTC)([+-]\d\d\d\d)/g.exec(zt);if(zonez!=null){if(local_zone=='GMT'&&zonez[2]=='+0000'){local_zone='GMT+0000';}
if(local_zone!=("GMT"+ zonez[2])){mismatched=1;}}
else{var zonez_n=/(GMT|UTC)/g.exec(zt);if(zonez_n!=null){if(local_zone!="GMT"){mismatched=1;}}}}
catch(e){};if(local_ts!=NA&&local_ts!="-"&&local_ts!=""){if(ts_diff>time_difference||mismatched==1){$(opts['time_diff_container']).addClass('not-matched');}
$(opts['js_time_container']).removeClass('disabled');}
if(isNaN(ts_diff))return 0;return mismatched;}

https://whoer.net/js/whoer.notpacked.js

Chrome crash

• I will try to identify how to reproduce crash, and report details to you.

@andryou : Thanks for your effort, and your great work !

[andryou]

@benkhouya thank you! And thank you for your help in testing. It looks like the best I can do is emphasize and add a note in the option description that Timezone Spoofing does interfere with replying to emails in Gmail.

Thanks again! I'm anxious to hear if you are able to reproduce the crash.

[joedoee]

@andryou
I have the latest (1.2.490.43 32-bit) on Windows 7 (64-bit) and only adblock with scriptsafe installed.

[benkhouya]

Crash test

The crash/freeze of my Chrome occurs when I'm using 2 windows of Chrome, one window with one tab playing a YouTube video (HTML5), and the second window has multiple tabs opened (5 for example).

The error occurs when I resize one of the windows (sometime, not everytime)
The problem is probably not caused by ScriptSafe, but if you can test it will be better.

Thanks @andryou ^^

[andryou]

@benkhouya thanks for the detailed testing! I tried to reproduce it on my two machines, as well as in Chromium on Linux Mint (in a virtual machine) but I couldn't reproduce it. Which Fingerprint options do you have enabled?

@joedoee which adblocker do you have installed alongside ScriptSafe? I tested the latest Vivaldi with Adblock Plus and uBlock Origin both installed and enabled but Vivaldi starts up fine.

If anyone else is testing this beta: how are you finding the experience? Any issues in general?

[benkhouya]

@andryou : It is with pleasure, here are my settings http://pastebin.com/bQbSBtgW

[andryou]

@benkhouya thank you! I've just tried it (two windows, 5+ tabs open in one, and YouTube open in the other playing a video) and it didn't crash. Are you able to consistently crash Chrome? What other extensions do you have installed?

[benkhouya]

@andryou : I'm using Chrome 51.0.2704.106 (Windows 7 32bits) with these extensions: uBlock Origin, Ghostery, HTTPS Everywhere. And I'm not able to consistently crash Chrome, this can be a system problem.

[andryou]

@benkhouya @gameb0y @joedoee I've released Beta 2, which incorporates most of what was discussed here with the exception of things I haven't been able to reproduce yet: #57

I am going to close this issue but I will continue to look into some of the reports (re: Vivaldi browser and the crash reported by @benkhouya). Feel free to comment in #57 with any findings.

I hope you all enjoy the new Update and Options interface :)

[joedoee]

@andryou
I have the latest (1.2.490.43 32-bit) on Windows 7 (64-bit) and I deinstalled vivaldi completely (also all traces in registry) and then reinstalled it and it worked fine (all default). Then I installed scriptsafe and Vivaldi won't run - this time no other extensions at all only scriptsafe.
I don't think that it is related to my PC since the same is happened on laptop.
I tried also 64 bit version of vivaldi and problem remains.
I will play with it a little bit more, if I remember correctly vivaldi made some error log file and if this is true I can post it here. I will check that.
thanks

[andryou]

@joedoee interesting, I found these threads:

• https://vivaldi.net/en-US/forum/3rd-party-extensions/12120-scriptsafe-add-on-makes-vivaldi-unstartable
• https://vivaldi.net/en-US/forum/vivaldi-browser/9266-scriptsafe-breaks-vivaldi#62339

So it looks like it's occurring for other people. I will continue to test on my machine and virtual machine to see if there's anything I can do on my end to mitigate this, but it does sound like this may be a bug in Vivaldi itself due to: https://vivaldi.net/en-US/forum/3rd-party-extensions/12120-scriptsafe-add-on-makes-vivaldi-unstartable#65739

[andryou]

@joedoee something else that sounds like it was due to a change in the Vivaldi Browser: https://vivaldi.net/en-US/forum/vivaldi-browser/9266-scriptsafe-breaks-vivaldi#51483

So just for testing i installed beta 3 instead of latest snapshot there scriptsafe is working well.

[joedoee]

@andryou
thanks for the link - that is exactly what happened on my side:
https://vivaldi.net/en-US/forum/vivaldi-browser/9266-scriptsafe-breaks-vivaldi#51483

[joedoee]

@andryou
Latest Vivaldi beta resolved problem for me.
Thanks

[andryou]

@benkhouya thank you for the update! I'm very happy to hear that :)

[joedoee]

@andryou
why there is no zip file available anymore? Is it possible to get it without google?
Thanks

[andryou]

@joedoee for all releases up until now I was able to do a complete zip of this repo and push it to the Web Store. But with v1.0.8.4 I had to exclude most of the locale translations. I've just uploaded the modified zip file (which is the one I pushed to the Web Store) and you can download it here: https://github.com/andryou/scriptsafe/releases/tag/v1.0.8.4 :)