X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=doc%2Fwebserver%2Fuser-manual%2Factions-file.html;h=5a20e52d22844281839947d46191e92f6e3161a3;hp=72b9a064357bde67447ccedb2fa08972b5ddf4d9;hb=594da2fb0547a6325317ff12476f400622bb6cf5;hpb=e61fdec519cef582a2dc5507543a006b539ad3f4 diff --git a/doc/webserver/user-manual/actions-file.html b/doc/webserver/user-manual/actions-file.html index 72b9a064..5a20e52d 100644 --- a/doc/webserver/user-manual/actions-file.html +++ b/doc/webserver/user-manual/actions-file.html @@ -1,13 +1,13 @@ +
The actions files are used to define what Privoxy with - differing purposes: -
match-all.action - is used to define which + "actions" relating to banner-blocking, images, pop-ups, + content modification, cookie handling etc should be applied by default. + It should be the first actions file loaded +
default.action - is the primary action file - that sets the initial values for all actions. It is intended to - provide a base level of functionality for - Privoxy's array of features. So it is - a set of broad rules that should work reasonably well as-is for most users. - This is the file that the developers are keeping updated, and making available to users. - The user's preferences as set in - defines many exceptions (both + positive and negative) from the default set of actions that's configured + in standard.action, - e.g. either Cautious (the default), - Medium, or Advanced (see - below). -
match-all.action. It is a set of rules that should + work reasonably well as-is for most users. This file is only supposed to + be edited by the developers. It should be the second actions file loaded. +user.action - is intended to be for local site - preferences and exceptions. As an example, if your ISP or your bank - has specific requirements, and need special handling, this kind of - thing should go here. This file will not be upgraded. -
standard.action - is used only by the web based editor - at http://config.privoxy.org/edit-actions-list?f=default, - to set various pre-defined sets of rules for the default actions section - in default.action. -
Edit Set to Advanced -
These have increasing levels of aggressiveness These have increasing levels of aggressiveness and have no - influence on your browsing unless you select them explicitly in the - editor. A default installation should be pre-set to - Cautious (versions prior to 3.0.5 were set to - Medium). New users should try this for a while before - adjusting the settings to more aggressive levels. The more aggressive - the settings, then the more likelihood there is of problems such as sites - not working as they should. -
. New users should try this for a while before + adjusting the settings to more aggressive levels. The more aggressive + the settings, then the more likelihood there is of problems such as sites + not working as they should. +The The Edit button allows you to turn each - action on/off individually for fine-tuning. The Cautious - button changes the actions list to low/safe settings which will activate - ad blocking and a minimal set of Privoxy's features, and subsequently - there will be less of a chance for accidental problems. The - Medium button sets the list to a medium level of - other features and a low level set of privacy features. The - Advanced button sets the list to a high level of - ad blocking and medium level of privacy. See the chart below. The latter - three buttons over-ride any changes via with the - Edit button. More fine-tuning can be done in the - lower sections of this internal page. -
It is not recommend to edit the standard.action file - itself. -
While the actions file editor allows to enable these settings in all + actions files, they are only supposed to be enabled in the first one + to make sure you don't unintentionally overrule earlier rules. +The default profiles, and their associated actions, as pre-defined in - The default profiles, and their associated actions, as pre-defined in + standard.actiondefault.action are: -
Feature | Cautious | Medium | Advanced |
---|---|---|---|
Ad-blocking Aggressiveness | medium | high | high |
Ad-filtering by size | no | yes | yes |
Ad-filtering by link | no | no | yes |
Pop-up killing | blocks only | blocks only | blocks only |
Privacy Features | low | medium | medium/high |
Cookie handling | none | session-only | kill |
Referer forging | no | yes | yes |
GIF de-animation | no | yes | yes |
Fast redirects | no | no | yes |
HTML taming | no | no | yes |
JavaScript taming | no | no | yes |
Web-bug killing | no | yes | yes |
Image tag reordering | no | no | yesyes | {+block} +>{+block{No nasty stuff for you.}} # Block and replace with "blocked" page .nasty-stuff.example.com -{+block +handle-as-image} +{+block{Doubleclick banners.} +handle-as-image} # Block and replace with image .ad.doubleclick.net .ads.r.us/banners/ -{+block +handle-as-empty-document} +{+block{Layered ads.} +handle-as-empty-document} # Block and then ignore - adserver.exampleclick.net/.*\.js$ |
Rewrite or remove single client headers. -
Improve privacy by not forwarding the source of the request in the HTTP headers.All client headers to which this action applies are filtered on-the-fly through - the specified regular expression based substitutions. +> Deletes the "X-Forwarded-For:" HTTP header from the client request, + or adds a new one.
The name of a client-header filter, as defined in one of the - filter files. -
"block" to delete the header.
"add" to create the header (or append + the client's IP address to an already existing one). +
It is safe and recommended to use block. +
Forwarding the source address of the request may make + sense in some multi-user setups but is also a privacy risk. +
+change-x-forwarded-for{block} |
Rewrite or remove single client headers. +
All client headers to which this action applies are filtered on-the-fly through + the specified regular expression based substitutions. +
Parameterized.
The name of a client-header filter, as defined in one of the + filter files. +
If the request URL gets changed, Privoxy will detect that and use the new + one. This can be used to rewrite the request destination behind the client's + back, for example to specify a Tor exit relay for certain requests. +
Please refer to the filter file chapter
{+client-header-filter{hide-tor-exit-notation}} -.exit/ +># Hide Tor exit notation in Host and Referer Headers +{+client-header-filter{hide-tor-exit-notation}} +/
# Tag every request with the User-Agent header -{+client-header-filter{user-agent}} +{+client-header-tagger{user-agent}} / + +# Tagging itself doesn't change the action +# settings, sections with TAG patterns do: +# +# If it's a download agent, use a different forwarding proxy, +# show the real User-Agent and make sure resume works. +{+forward-override{forward-socks5 10.0.0.2:2222 .} \ + -hide-if-modified-since \ + -overwrite-last-modified \ + -hide-user-agent \ + -filter \ + -deanimate-gifs \ +} +TAG:^User-Agent: NetBSD-ftp/ +TAG:^User-Agent: Novell ZYPP Installer +TAG:^User-Agent: RPM APT-HTTP/ +TAG:^User-Agent: fetch libfetch/ +TAG:^User-Agent: Ubuntu APT-HTTP/ +TAG:^User-Agent: MPlayer/8.5.5. content-type-overwrite8.5.6. content-type-overwrite
It is also useful to make sure the header isn't used as a cookie - replacement. + replacement (unlikely but possible).
Blocking the "If-Modified-Since:" header - isn't blocked as well. + isn't blocked or missing as well.
It is recommended to use this action together with @@ -2702,8 +2704,9 @@ WIDTH="90%" >
# Let the browser revalidate cached documents without being tracked across sessions -{ +hide-if-modified-since{-60} \ +># Let the browser revalidate cached documents but don't +# allow the server to use the revalidation headers for user tracking. +{+hide-if-modified-since{-60} \ +overwrite-last-modified{randomize} \ +crunch-if-none-match} /8.5.8. crunch-incoming-cookies8.5.9. crunch-incoming-cookies
Prevent the web server from setting any cookies on your system +> Prevent the web server from setting HTTP cookies on your system
It makes 8.5.9. crunch-server-header8.5.10. crunch-server-header
Prevent the web server from reading any cookies from your system +> Prevent the web server from reading any HTTP cookies from your system
{ +fast-redirects{simple-check} } - .example.com + one.example.com { +fast-redirects{check-decoded-url} } another.example.com/testing8.5.14. filter8.5.15. filter
+filter{js-annoyances} # Get rid of particularly annoying JavaScript abuse+filter{js-annoyances} # Get rid of particularly annoying JavaScript abuse.
+filter{js-events} # Kill all JS event bindings (Radically destructive! Only for extra nasty sites)+filter{js-events} # Kill all JS event bindings and timers (Radically destructive! Only for extra nasty sites).
+filter{html-annoyances} # Get rid of particularly annoying HTML abuse+filter{html-annoyances} # Get rid of particularly annoying HTML abuse.
+filter{content-cookies} # Kill cookies that come in the HTML or JS content+filter{content-cookies} # Kill cookies that come in the HTML or JS content.
+filter{refresh-tags} # Kill automatic refresh tags (for dial-on-demand setups)+filter{refresh-tags} # Kill automatic refresh tags (for dial-on-demand setups).
+filter{img-reorder} # Reorder attributes in <img> tags to make the banners-by-* filters more effective+filter{img-reorder} # Reorder attributes in <img> tags to make the banners-by-* filters more effective.
+filter{banners-by-size} # Kill banners by size+filter{banners-by-size} # Kill banners by size.
+filter{banners-by-link} # Kill banners by their links to known clicktrackers+filter{banners-by-link} # Kill banners by their links to known clicktrackers.
+filter{webbugs} # Squish WebBugs (1x1 invisible GIFs used for user tracking)+filter{webbugs} # Squish WebBugs (1x1 invisible GIFs used for user tracking).
+filter{tiny-textforms} # Extend those tiny textareas up to 40x80 and kill the hard wrap+filter{tiny-textforms} # Extend those tiny textareas up to 40x80 and kill the hard wrap.
+filter{jumping-windows} # Prevent windows from resizing and moving themselves+filter{jumping-windows} # Prevent windows from resizing and moving themselves.
+filter{frameset-borders} # Give frames a border and make them resizeable+filter{frameset-borders} # Give frames a border and make them resizable.
+filter{demoronizer} # Fix MS's non-standard use of standard charsets+filter{demoronizer} # Fix MS's non-standard use of standard charsets.
+filter{shockwave-flash} # Kill embedded Shockwave Flash objects+filter{shockwave-flash} # Kill embedded Shockwave Flash objects.
+filter{quicktime-kioskmode} # Make Quicktime movies savable+filter{quicktime-kioskmode} # Make Quicktime movies saveable.
+filter{crude-parental} # Crude parental filtering (demo only)+filter{crude-parental} # Crude parental filtering. Note that this filter doesn't work reliably.
+filter{ie-exploits} # Disable some known Internet Explorer bug exploits+filter{ie-exploits} # Disable some known Internet Explorer bug exploits.
+filter{site-specifics} # Custom filters for specific site related problems+filter{site-specifics} # Cure for site-specific problems. Don't apply generally!
+filter{google} # Removes text ads and other Google specific improvements+filter{no-ping} # Removes non-standard ping attributes in <a> and <area> tags. |
+filter{yahoo} # Removes text ads and other Yahoo specific improvements+filter{google} # CSS-based block for Google text ads. Also removes a width limitation and the toolbar advertisement. |
+filter{msn} # Removes text ads and other MSN specific improvements+filter{yahoo} # CSS-based block for Yahoo text ads. Also removes a width limitation. |
+filter{blogspot} # Cleans up Blogspot blogs+filter{msn} # CSS-based block for MSN text ads. Also removes tracking URLs and a width limitation. |
+filter{no-ping} # Removes non-standard ping attributes from anchor and area tags+filter{blogspot} # Cleans up some Blogspot blogs. Read the fine print before using this. |
Overrules the forward directives in the configuration files. +> Overrules the forward directives in the configuration file.
This action takes parameters similar to the +> This action takes parameters similar to the forward
This action will probably be removed in the future, + use server-header filters instead. +
It is a good idea to only use a small negative value and let @@ -5066,7 +5080,8 @@ CLASS="LITERAL" HREF="actions-file.html#CRUNCH-IF-NONE-MATCH" >crunch-if-none-match. +>, + otherwise it's more or less pointless.
# Let the browser revalidate without being tracked across sessions -{ +hide-if-modified-since{-60} \ +># Let the browser revalidate but make tracking based on the time less likely. +{+hide-if-modified-since{-60} \ +overwrite-last-modified{randomize} \ +crunch-if-none-match} /
Improve privacy by hiding the true source of the request
Deletes any existing "X-Forwarded-for:" HTTP header from client requests, - and prevents adding a new one. -
Boolean.
N/A -
It is fairly safe to leave this on. -
This action is scheduled for improvement: It should be able to generate forged - "X-Forwarded-for:" headers using random IP addresses from a specified network, - to make successive requests from the same client look like requests from a pool of different - users sharing the same proxy. -
+hide-forwarded-for-headers |
"conditional-forge" to forge the header if the host has changed.
"block" to delete the header unconditionally.
Always blocking the referrer, or using a custom one, can lead to failures on servers that check the referrer before they answer any - requests, in an attempt to prevent their valuable content from being + requests, in an attempt to prevent their content from being embedded or linked to elsewhere.
8.5.25. hide-user-agent8.5.25. hide-user-agent
Conceal your type of browser and client operating system
Try to conceal your type of browser and client operating systemThis action is scheduled for improvement. +> More information on known user-agent strings can be found at + http://www.user-agents.org/ + and + http://en.wikipedia.org/wiki/User_agent.
To protect against the MS buffer over-run in JPEG processing
Prevent abuse of Privoxy as a TCP proxy relay or disable SSL for untrusted sitesProtect against a known exploit +> Specifies to which ports HTTP CONNECT requests are allowable.
Boolean.
N/A -
See Microsoft Security Bulletin MS04-028. JPEG images are one of the most - common image types found across the Internet. The exploit as described can - allow execution of code on the target system, giving an attacker access - to the system in question by merely planting an altered JPEG image, which - would have no obvious indications of what lurks inside. This action - prevents unwanted intrusion. -
+inspect-jpegs |
Eliminate those annoying pop-up windows (deprecated)
While loading the document, replace JavaScript code that opens - pop-up windows with (syntactically neutral) dummy code on the fly. -
Boolean.
N/A -
This action is basically a built-in, hardwired special-purpose filter - action, but there are important differences: For kill-popups, - the document need not be buffered, so it can be incrementally rendered while - downloading. But kill-popups doesn't catch as many pop-ups as - filter{all-popups} - does and is not as smart as filter{unsolicited-popups} - is. -
Think of it as a fast and efficient replacement for a filter that you - can use if you don't want any filtering at all. Note that it doesn't make - sense to combine it with any filter action, - since as soon as one filter applies, - the whole document needs to be buffered anyway, which destroys the advantage of - the kill-popups action over its filter equivalent. -
Killing all pop-ups unconditionally is problematic. Many shops and banks rely on - pop-ups to display forms, shopping carts etc, and the filter{unsolicited-popups} - does a better job of catching only the unwanted ones. -
If the only kind of pop-ups that you want to kill are exit consoles (those - really nasty windows that appear when you close an other - one), you might want to use - filter{js-annoyances} - instead. -
This action is most appropriate for browsers that don't have any controls - for unwanted pop-ups. Not recommended for general usage. -
+kill-popups |
Prevent abuse of Privoxy as a TCP proxy relay or disable SSL for untrusted sites
Specifies to which ports HTTP CONNECT requests are allowable. -
Parameterized.
Parameterized.The CONNECT methods exists in HTTP to allow access to secure websites @@ -5904,8 +5610,7 @@ CLASS="QUOTE" > URLs) through proxies. It works very simply: the proxy connects to the server on the specified port, and then short-circuits its connections to the client and to the remote server. - This can be a big security hole, since CONNECT-enabled proxies can be - abused as TCP relays very easily. + This means CONNECT-enabled proxies can be used as TCP relays very easily.
Privoxy's filters. By specifying an invalid port range you can disable HTTPS entirely. - If you plan to disable SSL by default, consider enabling - treat-forbidden-connects-like-blocks - as well, to be able to quickly create exceptions.
+limit-connect{443} # This is the default and need not be specified. +>+limit-connect{443} # Port 443 is OK. +limit-connect{80,443} # Ports 80 and 443 are OK. +limit-connect{-3, 7, 20-100, 500-} # Ports less than 3, 7, 20 to 100 and above 500 are OK. +limit-connect{-} # All ports are OK @@ -5960,8 +5656,8 @@ CLASS="SECT3" CLASS="SECT3" >8.5.29. prevent-compression8.5.27. prevent-compressionfilter, and + deanimate-gifs - and kill-popups actions need - access to the uncompressed data. + actions need access to the uncompressed data.When compiled with zlib support (available since 8.5.30. overwrite-last-modified8.5.28. overwrite-last-modified
hided-if-modified-sincehide-if-modified-since to further customize your random range. @@ -6272,8 +5962,8 @@ CLASS="SECT3" CLASS="SECT3" >8.5.31. redirect8.5.29. redirectIn case of problems with your redirects, or simply to watch + them working, enable debug 128. +
- Example usages:
Feed log analysis scripts with useless data. -
Sends a cookie with each request stating that you do not accept any copyright - on cookies sent to you, and asking the site operator not to track you. -
Boolean.
N/A -
The vanilla wafer is a (relatively) unique header and could conceivably be used to track you. -
This action is rarely used and not enabled in the default configuration. -
+send-vanilla-wafer |
Send custom cookies or feed log analysis scripts with even more useless data. -
Sends a custom, user-defined cookie with each request. -
Multi-value.
A string of the form "name=value". -
Being multi-valued, multiple instances of this action can apply to the same request, - resulting in multiple cookies being sent. -
This action is rarely used and not enabled in the default configuration. -
{+send-wafer{UsingPrivoxy=true}} -my-internal-testing-server.void |
Disable or disable filters based on the Content-Type header. +> Enable or disable filters based on the Content-Type header.
# Tag every request with the declared content type -{+client-header-filter{content-type}} +># Tag every request with the content type declared by the server +{+server-header-tagger{content-type}} /
Block forbidden connects with an easy to find error message.
If this action is enabled, Privoxy no longer - makes a difference between forbidden connects and ordinary blocks. -
Boolean
N/A
By default Privoxy answers - forbidden "Connect" requests - with a short error message inside the headers. If the browser doesn't display - headers (most don't), you just see an empty page. -
With this action enabled, Privoxy displays - the message that is used for ordinary blocks instead. If you decide - to make an exception for the page in question, you can do so by - following the "See why" link. -
For "Connect" requests the clients tell - Privoxy which host they are interested - in, but not which document they plan to get later. As a result, the - "Go there anyway" wouldn't work and is therefore suppressed. -
+treat-forbidden-connects-like-blocks |
Note that many of these actions have the potential to cause a page to misbehave, possibly even not to display at all. There are many ways @@ -7296,8 +6736,8 @@ CLASS="SECT2" CLASS="SECT2" >8.6. Aliases8.6. Aliases
Custom crunch-outgoing-cookies
- +block-as-image = +block +handle-as-image
+ +block-as-image = +block{Blocked image.} +handle-as-image
allow-all-cookies = -crunch-all-cookies -session-cookies-onlyhide-referrer -kill-popups -prevent-compression
@@ -7470,9 +6907,6 @@ HREF="actions-file.html#PREVENT-COMPRESSION"
shop = -crunch-all-cookies -filter{all-popups} -kill-popups
# Short names for other aliases, for really lazy people ;-)
@@ -7518,7 +6952,7 @@ CLASS="SCREEN"
# These shops require pop-ups:
#
- {-kill-popups -filter{all-popups} -filter{unsolicited-popups}}
+ {-filter{all-popups} -filter{unsolicited-popups}}
.dabs.com
.overclockers.co.uk8.7. Actions Files Tutorial8.7. Actions Files Tutorial The above chapters have shown . Now, let's look at an
example match-all.action, default.action
+ and user.action file and see how all these pieces come together: Remember all actions are disabled when matching starts,
+ so we have to explicitly enable the ones we want. While the match-all.action file only contains a
+ single section, it is probably the most important one. It has only one
+ pattern, "/", but this pattern
+ matches all URLs. Therefore, the set of
+ actions used in this "default" section will
+ be applied to all requests as a start. It can be partly or
+ wholly overridden by other actions files like default.action and
+ and user.action
- file and see how all these pieces come together: Every config file should start with a short comment stating its purpose: Then, since this is the The default behavior is now set. If you aren't a developer, there's no need for you to edit the
+ default.action file. It is maintained by
+ the Privoxy developers and if you disagree with some of the
+ sections, you should overrule them in your user.action. Understanding the default.action file, the
-first section is a special section for internal use that you needn't
-change or worry about: The first section in this file is a special section for internal use
+ that prevents older Privoxy versions from reading the file: After that comes the (optional) alias section. We'll use the example
-section from the above After that comes the (optional) alias section. We'll use the example
+ section from the above chapter on aliases,
-that also explains why and how aliases are used: Now come the regular sections, i.e. sets of actions, accompanied
- by URL patterns to which they apply. Remember all actions
- are disabled when matching starts, so we have to explicitly
- enable the ones we want. The first regular section is probably the most important. It has only
- one pattern, "/", but this pattern
- matches all URLs. Therefore, the
- set of actions used in this "default" section will
- be applied to all requests as a start. It can be partly or
- wholly overridden by later matches further down this file, or in user.action,
- but it will still be largely responsible for your overall browsing
- experience. Again, at the start of matching, all actions are disabled, so there is
- no real need to disable any actions here, but we will do that nonetheless,
- to have a complete listing for your reference. (Remember: a "+"
- preceding the action name enables the action, a "-" disables!).
- Also note how this long line has been made more readable by splitting it into
- multiple lines with line continuation. The default behavior is now set. Note that some actions, like not hiding
- the user agent, are part of a "general policy" that applies
- universally and won't get any exceptions defined later. Other choices,
- like not blocking (which is understandably the
- default!) need exceptions, i.e. we need to specify explicitly what we
- want to block in later sections. The first of our specialized sections is concerned with "fragile"fast-redirects
- action, which we enabled per default above, breaks some sites. So disable
- it for popular sites where we know it misbehaves: So far we are painting with a broad brush by setting general policies,
which would be a reasonable starting point for many people. Now,
@@ -8560,7 +7765,7 @@ WIDTH="100%"
>8.7.1. match-all.action
8.7.1. default.action
, but it will still be largely responsible
+ for your overall browsing experience.# Sample default.action file <ijbswa-developers@lists.sourceforge.net>
{ \
+ +change-x-forwarded-for{block} \
+ +hide-from-header{block} \
+ +set-image-blocker{pattern} \
+}
+/ # Match all URLs
+ 8.7.2. default.action
##########################################################################
# Settings -- Don't change! For internal Privoxy use ONLY.
##########################################################################
-
{{settings}}
-for-privoxy-version=3.0
crunch-outgoing-cookies
- +block-as-image = +block +handle-as-image
+ +block-as-image = +block{Blocked image.} +handle-as-image
mercy-for-cookies = -crunch-all-cookies -session-cookies-only -hide-referrer -kill-popups
shop = -crunch-all-cookies -filter{all-popups} -kill-popups
and
- information). We can mark any URL as an image with the +block+block{Banner ads.} }
# Generic patterns:
@@ -8511,9 +7716,9 @@ CLASS="SECT3"
>
{ +block }{ +block{} } section. Note that { +handle-as-image
@@ -8737,9 +7942,9 @@ CLASS="SCREEN"
>{ +block }
+>{Nasty ads.} }
www.example.com/nasty-ads/sponsor\.gif
- another.popular.site.net/more/junk/here/default.filter,
- but it is disabled in the distributed actions file. (My colleagues on the team just
- don't have a sense of humour, that's why! ;-). So you'd like to turn it on in your private,
+ but it is disabled in the distributed actions file.
+ So you'd like to turn it on in your private,
update-safe config, once and for all:8.7.2. user.action
8.7.3. user.action# My user.action file. <fred@foobar.com>
# My user.action file. <fred@example.com>