> <DIV
CLASS="TABLE"
><A
-NAME="AEN2158"
+NAME="AEN2171"
></A
><P
><B
><H2
CLASS="SECT2"
><A
-NAME="AEN2257"
+NAME="AEN2270"
>8.1. Finding the Right Mix</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2264"
+NAME="AEN2277"
>8.2. How to Edit</A
></H2
><P
><H3
CLASS="SECT3"
><A
-NAME="AEN2355"
+NAME="AEN2368"
>8.4.1. The Domain Pattern</A
></H3
><P
><H3
CLASS="SECT3"
><A
-NAME="AEN2426"
+NAME="AEN2439"
>8.4.2. The Path Pattern</A
></H3
><P
and use their output as input.
</P
><P
+> If the request URL gets changed, <SPAN
+CLASS="APPLICATION"
+>Privoxy</SPAN
+> will detect that and use the new
+ one. This can be used to rewrite the request destination behind the client's
+ back, for example to specify a Tor exit relay for certain requests.
+ </P
+><P
> Please refer to the <A
HREF="filter-file.html"
>filter file chapter</A
# This way you can continue to use Tor for your normal browsing,
# without overloading the Tor network with your FreeBSD ports updates
# or downloads of bigger files like ISOs.
+# Note that HTTP headers are easy to fake and therefore their
+# values are as (un)trustworthy as your clients and users.
{+forward-override{forward .} \
-hide-if-modified-since \
-overwrite-last-modified \
CLASS="QUOTE"
>"If-Modified-Since:"</SPAN
> makes
- sure it isn't used as a cookie replacement, but you will run into
- caching problems if the random range is too high.
+ it less likely that the server can use the time as a cookie replacement,
+ but you will run into caching problems if the random range is too high.
</P
><P
> It is a good idea to only use a small negative value and let
HREF="actions-file.html#CRUNCH-IF-NONE-MATCH"
>crunch-if-none-match</A
></TT
->.
+>,
+ otherwise it's more or less pointless.
</P
></DD
><DT
><TD
><PRE
CLASS="SCREEN"
-># Let the browser revalidate without being tracked across sessions
-{ +hide-if-modified-since{-60} \
+># Let the browser revalidate but make tracking based on the time less likely.
+{+hide-if-modified-since{-60} \
+overwrite-last-modified{randomize} \
+crunch-if-none-match}
/</PRE
>Typical use:</DT
><DD
><P
->Improve privacy by not embedding the source of the request in the HTTP headers.</P
+>Improve privacy by not forwarding the source of the request in the HTTP headers.</P
></DD
><DT
>Effect:</DT
> Deletes any existing <SPAN
CLASS="QUOTE"
>"X-Forwarded-for:"</SPAN
-> HTTP header from client requests,
- and prevents adding a new one.
+> HTTP header from client requests.
</P
></DD
><DT
>Notes:</DT
><DD
><P
-> It is safe to leave this on.
+> It is safe and recommended to leave this on.
</P
></DD
><DT
><P
><SPAN
CLASS="QUOTE"
+>"conditional-forge"</SPAN
+> to forge the header if the host has changed.</P
+></LI
+><LI
+><P
+><SPAN
+CLASS="QUOTE"
>"block"</SPAN
> to delete the header unconditionally.</P
></LI
><P
> Always blocking the referrer, or using a custom one, can lead to
failures on servers that check the referrer before they answer any
- requests, in an attempt to prevent their valuable content from being
+ requests, in an attempt to prevent their content from being
embedded or linked to elsewhere.
</P
><P
>Typical use:</DT
><DD
><P
->Conceal your type of browser and client operating system</P
+>Try to conceal your type of browser and client operating system</P
></DD
><DT
>Effect:</DT
></SPAN
> the right thing to do: good web sites
work browser-independently).
-
</P
></TD
></TR
>Typical use:</DT
><DD
><P
->To protect against the MS buffer over-run in JPEG processing</P
+>Try to protect against a MS buffer over-run in JPEG processing</P
></DD
><DT
>Effect:</DT
allow execution of code on the target system, giving an attacker access
to the system in question by merely planting an altered JPEG image, which
would have no obvious indications of what lurks inside. This action
- prevents this exploit.
+ tries to prevent this exploit if delivered through unencrypted HTTP.
</P
><P
-> Note that the described exploit is only one of many,
- using this action does not mean that you no longer
- have to patch the client.
+> Note that the exploit mentioned is several years old
+ and it's unlikely that your client is still vulnerable
+ against it. This action may be removed in one of the
+ next releases.
</P
></DD
><DT
> This action is most appropriate for browsers that don't have any controls
for unwanted pop-ups. Not recommended for general usage.
</P
+><P
+> This action doesn't work very reliable and may be removed in future releases.
+ </P
></DD
><DT
>Example usage:</DT
> URLs) through proxies. It works very simply:
the proxy connects to the server on the specified port, and then
short-circuits its connections to the client and to the remote server.
- This can be a big security hole, since CONNECT-enabled proxies can be
- abused as TCP relays very easily.
+ This means CONNECT-enabled proxies can be used as TCP relays very easily.
</P
><P
> <SPAN
><H3
CLASS="SECT3"
><A
-NAME="AEN4232"
+NAME="AEN4251"
>8.5.39. Summary</A
></H3
><P
><H3
CLASS="SECT3"
><A
-NAME="AEN4297"
+NAME="AEN4316"
>8.7.1. default.action</A
></H3
><P
experience.</P
><P
> Again, at the start of matching, all actions are disabled, so there is
- no real need to disable any actions here, but we will do that nonetheless,
- to have a complete listing for your reference. (Remember: a <SPAN
+ no need to disable any actions here. (Remember: a <SPAN
CLASS="QUOTE"
>"+"</SPAN
>
# "Defaults" section:
##########################################################################
{ \
- -<A
-HREF="actions-file.html#ADD-HEADER"
->add-header</A
-> \
- -<A
-HREF="actions-file.html#CLIENT-HEADER-FILTER"
->client-header-filter{hide-tor-exit-notation}</A
-> \
- -<A
-HREF="actions-file.html#BLOCK"
->block</A
-> \
- -<A
-HREF="actions-file.html#CONTENT-TYPE-OVERWRITE"
->content-type-overwrite</A
-> \
- -<A
-HREF="actions-file.html#CRUNCH-CLIENT-HEADER"
->crunch-client-header</A
-> \
- -<A
-HREF="actions-file.html#CRUNCH-IF-NONE-MATCH"
->crunch-if-none-match</A
-> \
- -<A
-HREF="actions-file.html#CRUNCH-INCOMING-COOKIES"
->crunch-incoming-cookies</A
-> \
- -<A
-HREF="actions-file.html#CRUNCH-SERVER-HEADER"
->crunch-server-header</A
-> \
- -<A
-HREF="actions-file.html#CRUNCH-OUTGOING-COOKIES"
->crunch-outgoing-cookies</A
-> \
+<A
HREF="actions-file.html#DEANIMATE-GIFS"
>deanimate-gifs</A
-> \
- -<A
-HREF="actions-file.html#DOWNGRADE-HTTP-VERSION"
->downgrade-http-version</A
-> \
- -<A
-HREF="actions-file.html#FAST-REDIRECTS"
->fast-redirects{check-decoded-url}</A
-> \
- -<A
-HREF="actions-file.html#FILTER-JS-ANNOYANCES"
->filter{js-annoyances}</A
-> \
- -<A
-HREF="actions-file.html#FILTER-JS-EVENTS"
->filter{js-events}</A
> \
+<A
HREF="actions-file.html#FILTER-HTML-ANNOYANCES"
>filter{html-annoyances}</A
-> \
- -<A
-HREF="actions-file.html#FILTER-CONTENT-COOKIES"
->filter{content-cookies}</A
> \
+<A
HREF="actions-file.html#FILTER-REFRESH-TAGS"
>filter{refresh-tags}</A
-> \
- -<A
-HREF="actions-file.html#FILTER-UNSOLICITED-POPUPS"
->filter{unsolicited-popups}</A
-> \
- -<A
-HREF="actions-file.html#FILTER-ALL-POPUPS"
->filter{all-popups}</A
-> \
- -<A
-HREF="actions-file.html#FILTER-IMG-REORDER"
->filter{img-reorder}</A
-> \
- -<A
-HREF="actions-file.html#FILTER-BANNERS-BY-SIZE"
->filter{banners-by-size}</A
-> \
- -<A
-HREF="actions-file.html#FILTER-BANNERS-BY-LINK"
->filter{banners-by-link}</A
> \
+<A
HREF="actions-file.html#FILTER-WEBBUGS"
>filter{webbugs}</A
-> \
- -<A
-HREF="actions-file.html#FILTER-TINY-TEXTFORMS"
->filter{tiny-textforms}</A
-> \
- -<A
-HREF="actions-file.html#FILTER-JUMPING-WINDOWS"
->filter{jumping-windows}</A
-> \
- -<A
-HREF="actions-file.html#FILTER-FRAMESET-BORDERS"
->filter{frameset-borders}</A
-> \
- -<A
-HREF="actions-file.html#FILTER-DEMORONIZER"
->filter{demoronizer}</A
-> \
- -<A
-HREF="actions-file.html#FILTER-SHOCKWAVE-FLASH"
->filter{shockwave-flash}</A
-> \
- -<A
-HREF="actions-file.html#FILTER-QUICKTIME-KIOSKMODE"
->filter{quicktime-kioskmode}</A
-> \
- -<A
-HREF="actions-file.html#FILTER-FUN"
->filter{fun}</A
-> \
- -<A
-HREF="actions-file.html#FILTER-CRUDE-PARENTAL"
->filter{crude-parental}</A
> \
+<A
HREF="actions-file.html#FILTER-IE-EXPLOITS"
>filter{ie-exploits}</A
> \
- -<A
-HREF="actions-file.html#FILTER-GOOGLE"
->filter{google}</A
-> \
- -<A
-HREF="actions-file.html#FILTER-YAHOO"
->filter{yahoo}</A
-> \
- -<A
-HREF="actions-file.html#FILTER-MSN"
->filter{msn}</A
-> \
- -<A
-HREF="actions-file.html#FILTER-BLOGSPOT"
->filter{blogspot}</A
-> \
- -<A
-HREF="actions-file.html#FILTER-NO-PING"
->filter{no-ping}</A
-> \
- -<A
-HREF="actions-file.html#FORCE-TEXT-MODE"
->force-text-mode</A
-> \
- -<A
-HREF="actions-file.html#HANDLE-AS-EMPTY-DOCUMENT"
->handle-as-empty-document</A
-> \
- -<A
-HREF="actions-file.html#HANDLE-AS-IMAGE"
->handle-as-image</A
-> \
- -<A
-HREF="actions-file.html#HIDE-ACCEPT-LANGUAGE"
->hide-accept-language</A
-> \
- -<A
-HREF="actions-file.html#HIDE-CONTENT-DISPOSITION"
->hide-content-disposition</A
-> \
- -<A
-HREF="actions-file.html#HIDE-IF-MODIFIED-SINCE"
->hide-if-modified-since</A
-> \
+<A
HREF="actions-file.html#HIDE-FORWARDED-FOR-HEADERS"
>hide-forwarded-for-headers</A
+<A
HREF="actions-file.html#HIDE-REFERER"
>hide-referrer{forge}</A
-> \
- -<A
-HREF="actions-file.html#HIDE-USER-AGENT"
->hide-user-agent</A
-> \
- -<A
-HREF="actions-file.html#INSPECT-JPEGS"
->inspect-jpegs</A
-> \
- -<A
-HREF="actions-file.html#KILL-POPUPS"
->kill-popups</A
-> \
- -<A
-HREF="actions-file.html#LIMIT-CONNECT"
->limit-connect</A
> \
+<A
HREF="actions-file.html#PREVENT-COMPRESSION"
>prevent-compression</A
-> \
- -<A
-HREF="actions-file.html#OVERWRITE-LAST-MODIFIED"
->overwrite-last-modified</A
-> \
- -<A
-HREF="actions-file.html#REDIRECT"
->redirect</A
-> \
- -<A
-HREF="actions-file.html#SEND-VANILLA-WAFER"
->send-vanilla-wafer</A
-> \
- -<A
-HREF="actions-file.html#SEND-WAFER"
->send-wafer</A
-> \
- -<A
-HREF="actions-file.html#SERVER-HEADER-FILTER"
->server-header-filter{xml-to-html}</A
-> \
- -<A
-HREF="actions-file.html#SERVER-HEADER-FILTER"
->server-header-filter{html-to-xml}</A
> \
+<A
HREF="actions-file.html#SESSION-COOKIES-ONLY"
+<A
HREF="actions-file.html#SET-IMAGE-BLOCKER"
>set-image-blocker{pattern}</A
-> \
- -<A
-HREF="actions-file.html#TREAT-FORBIDDEN-CONNECTS-LIKE-BLOCKS"
->treat-forbidden-connects-like-blocks</A
> \
}
/ # forward slash will match *all* potential URL patterns.</PRE
></TABLE
></P
><P
-> The default behavior is now set. Note that some actions, like not hiding
- the user agent, are part of a <SPAN
-CLASS="QUOTE"
->"general policy"</SPAN
-> that applies
- universally and won't get any exceptions defined later. Other choices,
- like not blocking (which is <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->understandably</I
-></SPAN
-> the
- default!) need exceptions, i.e. we need to specify explicitly what we
- want to block in later sections.</P
+> The default behavior is now set.
+ </P
><P
> The first of our specialized sections is concerned with <SPAN
CLASS="QUOTE"
><H3
CLASS="SECT3"
><A
-NAME="AEN4484"
+NAME="AEN4452"
>8.7.2. user.action</A
></H3
><P
><TD
><PRE
CLASS="SCREEN"
-># My user.action file. <fred@foobar.com></PRE
+># My user.action file. <fred@example.com></PRE
></TD
></TR
></TABLE
>block</A
> }
www.example.com/nasty-ads/sponsor\.gif
- another.popular.site.net/more/junk/here/</PRE
+ another.example.net/more/junk/here/</PRE
></TD
></TR
></TABLE
CLASS="FILENAME"
>default.filter</TT
>,
- but it is disabled in the distributed actions file. (My colleagues on the team just
- don't have a sense of humour, that's why! ;-). So you'd like to turn it on in your private,
+ but it is disabled in the distributed actions file.
+ So you'd like to turn it on in your private,
update-safe config, once and for all:</P
><P
><TABLE
projects / privoxy.git / blobdiff