.
Note: the config file option enale-edit-actionsenable-edit-actions must be enabled for
this to work. The editor allows both fine-grained control over every single
feature on a per-URL basis, and easy choosing from wholesale sets of defaults
@@ -677,7 +680,7 @@ CLASS="LITERAL"
>handle-as-image +blockblock{Banner ads.} }
# Block these as if they were images. Send no block page.
banners.example.com
@@ -769,16 +772,16 @@ CLASS="EMPHASIS"
> The pattern matching syntax is different for the domain and path parts of
the URL. The domain part uses a simple globbing type matching technique,
- while the path part uses a more flexible
+ while the path part uses more flexible
"Regular
- Expressions (PCRE)" based syntax. matches any domain that ENDS in
- matches any domain with first-level domain .example.comcom
+ and second-level domain example.
+ For example www.example.com,
+ example.com and foo.bar.baz.example.com.
+ Note that it wouldn't match if the second-level domain was another-example.
Privoxy uses Perl compatible (PCRE)
+> uses "modern" POSIX 1003.2
"Regular
- Expression" based syntax
- (through the PCRE library) for
- matching the path portion (after the slash), and is thus more flexible. There is an Appendix with a brief quick-start into regular
- expressions, and full (very technical) documentation on PCRE regex syntax is available on-line
- at http://www.pcre.org/man.txt.
- You might also find the Perl man page on regular expressions (man perlre)
- useful, which is available on-line at http://perldoc.perl.org/perlre.html. Note that the path pattern is automatically left-anchored at the Privoxy doesn't silently add a "^",
@@ -1413,13 +1423,18 @@ CLASS="QUOTE"
tags can be used to activate other tagger actions, as long as these other
taggers look for headers that haven't already be parsed. For example you could tag client requests which use the POST method,
- use this tag to activate another tagger that adds a tag if cookies
- are send, and then block based on the cookie tag. However if you'd
- reverse the position of the described taggers, and activated the method
- tagger based on the cookie tagger, no method tags would be created.
+> For example you could tag client requests which use the
+ POST method,
+ then use this tag to activate another tagger that adds a tag if cookies
+ are sent, and then use a block action based on the cookie tag. This allows
+ the outcome of one action, to be input into a subsequent action. However if
+ you'd reverse the position of the described taggers, and activated the
+ method tagger based on the cookie tagger, no method tags would be created.
The method tagger would look for the request line, but at the time
- the cookie tag is created the request line has already been parsed. While this is a limitation you should be aware of, this kind of
indirection is seldom needed anyway and even the example doesn't
@@ -1540,7 +1555,7 @@ CLASS="REPLACEABLE"
>
Example: +block+handle-as-image
Boolean. N/A
@@ -1973,18 +1971,18 @@ WIDTH="90%"
> Improve privacy by not forwarding the source of the request in the HTTP headers. Deletes the "X-Forwarded-For:" HTTP header from the client request,
+ or adds a new one.
+ Parameterized. "block" to delete the header. "add" to create the header (or append
+ the client's IP address to an already existing one).
+ It is safe and recommended to use block.
+ Forwarding the source address of the request may make
+ sense in some multi-user setups but is also a privacy risk.
+ If the request URL gets changed, Privoxy will detect that and use the new
+ one. This can be used to rewrite the request destination behind the client's
+ back, for example to specify a Tor exit relay for certain requests.
+ Please refer to the filter file chapter This action takes parameters similar to the
+> This action takes parameters similar to the
forward8.5.17. handle-as-empty-document8.5.18. handle-as-empty-document It is a good idea to only use a small negative value and let
@@ -4940,7 +5069,8 @@ CLASS="LITERAL"
HREF="actions-file.html#CRUNCH-IF-NONE-MATCH"
>crunch-if-none-match.
+>,
+ otherwise it's more or less pointless.
Improve privacy by not embedding the source of the request in the HTTP headers. Deletes any existing "X-Forwarded-for:" HTTP header from client requests,
- and prevents adding a new one.
- Boolean. N/A
- It is safe to leave this on.
- "conditional-forge" to forge the header if the host has changed. "block" to delete the header unconditionally. Always blocking the referrer, or using a custom one, can lead to
failures on servers that check the referrer before they answer any
- requests, in an attempt to prevent their valuable content from being
+ requests, in an attempt to prevent their content from being
embedded or linked to elsewhere.
Typical use: Conceal your type of browser and client operating system To protect against the MS buffer over-run in JPEG processing Protect against a known exploit
+> Specifies to which ports HTTP CONNECT requests are allowable.
Boolean. N/A
+> A comma-separated list of ports or port ranges (the latter using dashes, with the minimum
+ defaulting to 0 and the maximum to 65K).
See Microsoft Security Bulletin MS04-028. JPEG images are one of the most
- common image types found across the Internet. The exploit as described can
- allow execution of code on the target system, giving an attacker access
- to the system in question by merely planting an altered JPEG image, which
- would have no obvious indications of what lurks inside. This action
- prevents this exploit.
- Note that the described exploit is only one of many,
- using this action does not mean that you no longer
- have to patch the client.
- Eliminate those annoying pop-up windows (deprecated) While loading the document, replace JavaScript code that opens
- pop-up windows with (syntactically neutral) dummy code on the fly.
- Boolean. N/A
- This action is basically a built-in, hardwired special-purpose filter
- action, but there are important differences: For kill-popups,
- the document need not be buffered, so it can be incrementally rendered while
- downloading. But kill-popups doesn't catch as many pop-ups as
- filter{all-popups}
- does and is not as smart as filter{unsolicited-popups}
- is.
- Think of it as a fast and efficient replacement for a filter that you
- can use if you don't want any filtering at all. Note that it doesn't make
- sense to combine it with any filter action,
- since as soon as one filter applies,
- the whole document needs to be buffered anyway, which destroys the advantage of
- the kill-popups action over its filter equivalent.
- Killing all pop-ups unconditionally is problematic. Many shops and banks rely on
- pop-ups to display forms, shopping carts etc, and the filter{unsolicited-popups}
- does a better job of catching only the unwanted ones.
- If the only kind of pop-ups that you want to kill are exit consoles (those
- really nasty windows that appear when you close an other
- one), you might want to use
- filter{js-annoyances}
- instead.
- This action is most appropriate for browsers that don't have any controls
- for unwanted pop-ups. Not recommended for general usage.
- Prevent abuse of Privoxy as a TCP proxy relay or disable SSL for untrusted sites Specifies to which ports HTTP CONNECT requests are allowable.
- Parameterized. A comma-separated list of ports or port ranges (the latter using dashes, with the minimum
- defaulting to 0 and the maximum to 65K).
- By default, i.e. if no limit-connect action applies,
- Privoxy only allows HTTP CONNECT
- requests to port 443 (the standard, secure HTTPS port). Use
- limit-connect if more fine-grained control is desired
- for some or all destinations.
+> By default, i.e. if no limit-connect action applies,
+ Privoxy allows HTTP CONNECT requests to all
+ ports. Use limit-connect if fine-grained control
+ is desired for some or all destinations.
The CONNECT methods exists in HTTP to allow access to secure websites
@@ -5785,8 +5599,7 @@ CLASS="QUOTE"
> URLs) through proxies. It works very simply:
the proxy connects to the server on the specified port, and then
short-circuits its connections to the client and to the remote server.
- This can be a big security hole, since CONNECT-enabled proxies can be
- abused as TCP relays very easily.
+ This means CONNECT-enabled proxies can be used as TCP relays very easily.
Privoxy's
filters. By specifying an invalid port range you can disable HTTPS entirely.
- If you plan to disable SSL by default, consider enabling
- treat-forbidden-connects-like-blocks
- as well, to be able to quickly create exceptions.
When compiled with zlib support (available since 8.5.30. overwrite-last-modified8.5.28. overwrite-last-modified Redirect requests to other sites.
- Convinces the browser that the requested document has been moved
- to another location and the browser should get it from there.
- Parameterized An absolute URL or a single pcrs command.
- Requests to which this action applies are answered with a
- HTTP redirect to URLs of your choosing. The new URL is
- either provided as parameter, or derived by applying a
- single pcrs command to the original URL.
- This action will be ignored if you use it together with
- block.
- It can be combined with
- fast-redirects{check-decoded-url}
- to redirect to a decoded version of a rewritten URL.
- Use this action carefully, make sure not to create redirection loops
- and be aware that using your own redirects might make it
- possible to fingerprint your requests.
- Feed log analysis scripts with useless data.
- Sends a cookie with each request stating that you do not accept any copyright
- on cookies sent to you, and asking the site operator not to track you.
- Boolean. N/A
- The vanilla wafer is a (relatively) unique header and could conceivably be used to track you.
- This action is rarely used and not enabled in the default configuration.
- Send custom cookies or feed log analysis scripts with even more useless data.
+> Redirect requests to other sites.
Sends a custom, user-defined cookie with each request.
+> Convinces the browser that the requested document has been moved
+ to another location and the browser should get it from there.
Multi-value. A string of the form "name=value".
+> An absolute URL or a single pcrs command.
Being multi-valued, multiple instances of this action can apply to the same request,
- resulting in multiple cookies being sent.
+> Requests to which this action applies are answered with a
+ HTTP redirect to URLs of your choosing. The new URL is
+ either provided as parameter, or derived by applying a
+ single pcrs command to the original URL.
+ This action will be ignored if you use it together with
+ block.
+ It can be combined with
+ fast-redirects{check-decoded-url}
+ to redirect to a decoded version of a rewritten URL.
+ Use this action carefully, make sure not to create redirection loops
+ and be aware that using your own redirects might make it
+ possible to fingerprint your requests.
This action is rarely used and not enabled in the default configuration.
+> In case of problems with your redirects, or simply to watch
+ them working, enable debug 128.
Disable or disable filters based on the Content-Type header.
+> Enable or disable filters based on the Content-Type header.
Block forbidden connects with an easy to find error message. If this action is enabled, Privoxy no longer
- makes a difference between forbidden connects and ordinary blocks.
- Boolean N/A By default Privoxy answers
- forbidden "Connect" requests
- with a short error message inside the headers. If the browser doesn't display
- headers (most don't), you just see an empty page.
- With this action enabled, Privoxy displays
- the message that is used for ordinary blocks instead. If you decide
- to make an exception for the page in question, you can do so by
- following the "See why" link.
- For "Connect" requests the clients tell
- Privoxy which host they are interested
- in, but not which document they plan to get later. As a result, the
- "Go there anyway" wouldn't work and is therefore suppressed.
- Note that many of these actions have the potential to cause a page to
@@ -7316,7 +6864,7 @@ HREF="actions-file.html#CRUNCH-INCOMING-COOKIES"
HREF="actions-file.html#CRUNCH-OUTGOING-COOKIES"
>crunch-outgoing-cookies
- +block-as-image = +block +handle-as-image
+ +block-as-image = +block{Blocked image.} +handle-as-image
allow-all-cookies = -crunch-all-cookies -session-cookies-onlyhide-referrer -kill-popups -prevent-compression
@@ -7351,9 +6896,6 @@ HREF="actions-file.html#PREVENT-COMPRESSION"
shop = -crunch-all-cookies -filter{all-popups} -kill-popups
# Short names for other aliases, for really lazy people ;-)
@@ -7399,7 +6941,7 @@ CLASS="SCREEN"
# These shops require pop-ups:
#
- {-kill-popups -filter{all-popups} -filter{unsolicited-popups}}
+ {-filter{all-popups} -filter{unsolicited-popups}}
.dabs.com
.overclockers.co.uk crunch-outgoing-cookies
- +block-as-image = +block +handle-as-image
+ +block-as-image = +block{Blocked image.} +handle-as-image
mercy-for-cookies = -crunch-all-cookies -session-cookies-only -hide-referrer -kill-popups
shop = -crunch-all-cookies -filter{all-popups} -kill-popups Again, at the start of matching, all actions are disabled, so there is
- no real need to disable any actions here, but we will do that nonetheless,
- to have a complete listing for your reference. (Remember: a "+"
@@ -7647,182 +7182,30 @@ CLASS="SCREEN"
# "Defaults" section:
##########################################################################
{ \
- -add-header \
- -client-header-filter{hide-tor-exit-notation} \
- -block \
- -content-type-overwrite \
- -crunch-client-header \
- -crunch-if-none-match \
- -crunch-incoming-cookies \
- -crunch-server-header \
- -crunch-outgoing-cookieschange-x-forwarded-for{block} \
+deanimate-gifs \
- -downgrade-http-version \
- -fast-redirects{check-decoded-url} \
- -filter{js-annoyances} \
- -filter{js-events} \
+filter{html-annoyances} \
- -filter{content-cookies} \
+filter{refresh-tags} \
- -filter{unsolicited-popups} \
- -filter{all-popups} \
- -filter{img-reorder} \
- -filter{banners-by-size} \
- -filter{banners-by-link} \
+filter{webbugs} \
- -filter{tiny-textforms} \
- -filter{jumping-windows} \
- -filter{frameset-borders} \
- -filter{demoronizer} \
- -filter{shockwave-flash} \
- -filter{quicktime-kioskmode} \
- -filter{fun} \
- -filter{crude-parental} \
+filter{ie-exploits} \
- -filter{google} \
- -filter{yahoo} \
- -filter{msn} \
- -filter{blogspot} \
- -filter{no-ping} \
- -force-text-mode \
- -handle-as-empty-document \
- -handle-as-image \
- -hide-accept-language \
- -hide-content-disposition \
- -hide-if-modified-since \
- +hide-forwarded-for-headers \
+hide-from-header{block}hide-referrer{forge} \
- -hide-user-agent \
- -inspect-jpegs \
- -kill-popups \
- -limit-connect \
+prevent-compression \
- -overwrite-last-modified \
- -redirect \
- -send-vanilla-wafer \
- -send-wafer \
- -server-header-filter{xml-to-html} \
- -server-header-filter{html-to-xml} \
+set-image-blocker{pattern} \
- -treat-forbidden-connects-like-blocks \
}
/ # forward slash will match *all* potential URL patterns. The default behavior is now set. Note that some actions, like not hiding
- the user agent, are part of a "general policy" that applies
- universally and won't get any exceptions defined later. Other choices,
- like not blocking (which is understandably the
- default!) need exceptions, i.e. we need to specify explicitly what we
- want to block in later sections. The first of our specialized sections is concerned with +block+block{Banner ads.} }
# Generic patterns:
@@ -8392,7 +7718,7 @@ CLASS="SECT3"
>no no yesyes 8.1. Finding the Right Mix
8.2. How to Edit
8.4.1. The Domain Pattern
8.4.2. The Path Pattern
{+block}
+>{+block{No nasty stuff for you.}}
# Block and replace with "blocked" page
.nasty-stuff.example.com
-{+block +handle-as-image}
+{+block{Doubleclick banners.} +handle-as-image}
# Block and replace with image
.ad.doubleclick.net
.ads.r.us/banners/
-{+block +handle-as-empty-document}
+{+block{Layered ads.} +handle-as-empty-document}
# Block and then ignore
- adserver.exampleclick.net/.*\.js$8.5.3. change-x-forwarded-for
+ +change-x-forwarded-for{block}8.5.3. client-header-filter8.5.4. client-header-filter
{+client-header-filter{hide-tor-exit-notation}}
-.exit/
+># Hide Tor exit notation in Host and Referer Headers
+{+client-header-filter{hide-tor-exit-notation}}
+/
+filter{js-annoyances} # Get rid of particularly annoying JavaScript abuse+filter{js-annoyances} # Get rid of particularly annoying JavaScript abuse.+filter{js-events} # Kill all JS event bindings (Radically destructive! Only for extra nasty sites)+filter{js-events} # Kill all JS event bindings and timers (Radically destructive! Only for extra nasty sites).+filter{html-annoyances} # Get rid of particularly annoying HTML abuse+filter{html-annoyances} # Get rid of particularly annoying HTML abuse.+filter{content-cookies} # Kill cookies that come in the HTML or JS content+filter{content-cookies} # Kill cookies that come in the HTML or JS content.+filter{refresh-tags} # Kill automatic refresh tags (for dial-on-demand setups)+filter{refresh-tags} # Kill automatic refresh tags (for dial-on-demand setups).+filter{img-reorder} # Reorder attributes in <img> tags to make the banners-by-* filters more effective+filter{img-reorder} # Reorder attributes in <img> tags to make the banners-by-* filters more effective.+filter{banners-by-size} # Kill banners by size+filter{banners-by-size} # Kill banners by size.+filter{banners-by-link} # Kill banners by their links to known clicktrackers+filter{banners-by-link} # Kill banners by their links to known clicktrackers.+filter{webbugs} # Squish WebBugs (1x1 invisible GIFs used for user tracking)+filter{webbugs} # Squish WebBugs (1x1 invisible GIFs used for user tracking).+filter{tiny-textforms} # Extend those tiny textareas up to 40x80 and kill the hard wrap+filter{tiny-textforms} # Extend those tiny textareas up to 40x80 and kill the hard wrap.+filter{jumping-windows} # Prevent windows from resizing and moving themselves+filter{jumping-windows} # Prevent windows from resizing and moving themselves.+filter{frameset-borders} # Give frames a border and make them resizeable+filter{frameset-borders} # Give frames a border and make them resizable.+filter{demoronizer} # Fix MS's non-standard use of standard charsets+filter{demoronizer} # Fix MS's non-standard use of standard charsets.+filter{shockwave-flash} # Kill embedded Shockwave Flash objects+filter{shockwave-flash} # Kill embedded Shockwave Flash objects.+filter{quicktime-kioskmode} # Make Quicktime movies savable+filter{quicktime-kioskmode} # Make Quicktime movies saveable.+filter{crude-parental} # Crude parental filtering (demo only)+filter{crude-parental} # Crude parental filtering. Note that this filter doesn't work reliably.+filter{ie-exploits} # Disable a known Internet Explorer bug exploits+filter{ie-exploits} # Disable some known Internet Explorer bug exploits.+filter{site-specifics} # Custom filters for specific site related problems+filter{site-specifics} # Cure for site-specific problems. Don't apply generally!+filter{google} # Removes text ads and other Google specific improvements+filter{no-ping} # Removes non-standard ping attributes in <a> and <area> tags.+filter{yahoo} # Removes text ads and other Yahoo specific improvements+filter{google} # CSS-based block for Google text ads. Also removes a width limitation and the toolbar advertisement.+filter{msn} # Removes text ads and other MSN specific improvements+filter{yahoo} # CSS-based block for Yahoo text ads. Also removes a width limitation.+filter{blogspot} # Cleans up Blogspot blogs+filter{msn} # CSS-based block for MSN text ads. Also removes tracking URLs and a width limitation.
8.5.15. force-text-mode8.5.16. force-text-mode8.5.16. forward-override8.5.17. forward-override"forward-socks4"
- to use a socks4 connection (with local DNS resolution) instead.
+ to use a socks4 connection (with local DNS resolution) instead, use "forward-socks5"
+ for socks5 connections (with remote DNS resolution).
+filter{no-ping} # Removes non-standard ping attributes from anchor and area tags+filter{blogspot} # Cleans up some Blogspot blogs. Read the fine print before using this.# Let the browser revalidate without being tracked across sessions
-{ +hide-if-modified-since{-60} \
+># Let the browser revalidate but make tracking based on the time less likely.
+{+hide-if-modified-since{-60} \
+overwrite-last-modified{randomize} \
+crunch-if-none-match}
/8.5.22. hide-forwarded-for-headers
- +hide-forwarded-for-headers
8.5.23. hide-from-header
8.5.26. inspect-jpegs8.5.26. limit-connect
Typical use:+inspect-jpegs
8.5.27. kill-popups
+kill-popups
8.5.28. limit-connect
+limit-connect{443} # This is the default and need not be specified.
+>+limit-connect{443} # Port 443 is OK.
+limit-connect{80,443} # Ports 80 and 443 are OK.
+limit-connect{-3, 7, 20-100, 500-} # Ports less than 3, 7, 20 to 100 and above 500 are OK.
+limit-connect{-} # All ports are OK
@@ -5841,7 +5645,7 @@ CLASS="SECT3"
CLASS="SECT3"
>8.5.29. prevent-compression8.5.27. prevent-compressionfilter, and
+ deanimate-gifs
- and kill-popups actions need
- access to the uncompressed data.
+ actions need access to the uncompressed data.
# Let the browser revalidate without being tracked across sessions
-{ +hide-if-modified-since{-60} \
- +overwrite-last-modified{randomize} \
- +crunch-if-none-match}
-/8.5.31. redirect
- # Replace example.com's style sheet with another one
-{ +redirect{http://localhost/css-replacements/example.com.css} }
- example.com/stylesheet\.css
-
-# Create a short, easy to remember nickname for a favorite site
-# (relies on the browser accept and forward invalid URLs to Privoxy)
-{ +redirect{http://www.privoxy.org/user-manual/actions-file.html} }
- a
-
-# Always use the expanded view for Undeadly.org articles
-# (Note the $ at the end of the URL pattern to make sure
-# the request for the rewritten URL isn't redirected as well)
-{+redirect{s@$@&mode=expanded@}}
-undeadly.org/cgi\?action=article&sid=\d*$8.5.32. send-vanilla-wafer
+send-vanilla-wafer
# Let the browser revalidate without being tracked across sessions
+{ +hide-if-modified-since{-60} \
+ +overwrite-last-modified{randomize} \
+ +crunch-if-none-match}
+/8.5.33. send-wafer8.5.29. redirect
Typical use:
8.5.34. server-header-filter8.5.30. server-header-filter8.5.35. server-header-tagger8.5.31. server-header-taggerTypical use:{+send-wafer{UsingPrivoxy=true}}
-my-internal-testing-server.void# Replace example.com's style sheet with another one
+{ +redirect{http://localhost/css-replacements/example.com.css} }
+ example.com/stylesheet\.css
+
+# Create a short, easy to remember nickname for a favorite site
+# (relies on the browser accept and forward invalid URLs to Privoxy)
+{ +redirect{http://www.privoxy.org/user-manual/actions-file.html} }
+ a
+
+# Always use the expanded view for Undeadly.org articles
+# (Note the $ at the end of the URL pattern to make sure
+# the request for the rewritten URL isn't redirected as well)
+{+redirect{s@$@&mode=expanded@}}
+undeadly.org/cgi\?action=article&sid=\d*$
+
+# Redirect Google search requests to MSN
+{+redirect{s@^http://[^/]*/search\?q=([^&]*).*@http://search.msn.com/results.aspx?q=$1@}}
+.google.com/search
+
+# Redirect MSN search requests to Yahoo
+{+redirect{s@^http://[^/]*/results\.aspx\?q=([^&]*).*@http://search.yahoo.com/search?p=$1@}}
+search.msn.com//results\.aspx\?q=
+
+# Redirect remote requests for this manual
+# to the local version delivered by Privoxy
+{+redirect{s@^http://www@http://config@}}
+www.privoxy.org/user-manual/# Tag every request with the declared content type
+># Tag every request with the content type declared by the server
{+server-header-tagger{content-type}}
/
8.5.36. session-cookies-only8.5.32. session-cookies-only8.5.37. set-image-blocker8.5.33. set-image-blocker8.5.38. treat-forbidden-connects-like-blocks
- +treat-forbidden-connects-like-blocks
8.5.39. Summary8.5.34. Summary
8.7.1. default.action
8.7.2. user.action
# My user.action file. <fred@foobar.com>
# My user.action file. <fred@example.com>