in <tt class="FILENAME">default.action</tt> are:</p>
<div class="TABLE">
- <a name="AEN2826" id="AEN2826"></a>
+ <a name="AEN2858" id="AEN2858"></a>
<p><b>Table 1. Default Configurations</b></p>
actions</a>.</p>
<div class="SECT2">
- <h2 class="SECT2"><a name="AEN2925" id="AEN2925">8.1. Finding the Right
+ <h2 class="SECT2"><a name="AEN2957" id="AEN2957">8.1. Finding the Right
Mix</a></h2>
<p>Note that some <a href="actions-file.html#ACTIONS">actions</a>, like
</div>
<div class="SECT2">
- <h2 class="SECT2"><a name="AEN2932" id="AEN2932">8.2. How to
+ <h2 class="SECT2"><a name="AEN2964" id="AEN2964">8.2. How to
Edit</a></h2>
<p>The easiest way to edit the actions files is with a browser by using
</div>
<div class="SECT3">
- <h3 class="SECT3"><a name="AEN3044" id="AEN3044">8.4.1. The Domain
+ <h3 class="SECT3"><a name="AEN3076" id="AEN3076">8.4.1. The Domain
Pattern</a></h3>
<p>The matching of the domain part offers some flexible options: if
</div>
<div class="SECT3">
- <h3 class="SECT3"><a name="AEN3120" id="AEN3120">8.4.2. The Path
+ <h3 class="SECT3"><a name="AEN3152" id="AEN3152">8.4.2. The Path
Pattern</a></h3>
<p><span class="APPLICATION">Privoxy</span> uses <span class=
</div>
<div class="SECT3">
- <h3 class="SECT3"><a name="AEN4795" id="AEN4795">8.5.35.
+ <h3 class="SECT3"><a name="AEN4827" id="AEN4827">8.5.35.
Summary</a></h3>
<p>Note that many of these actions have the potential to cause a page
together:</p>
<div class="SECT3">
- <h3 class="SECT3"><a name="AEN4859" id="AEN4859">8.7.1.
+ <h3 class="SECT3"><a name="AEN4891" id="AEN4891">8.7.1.
match-all.action</a></h3>
<p>Remember <span class="emphasis"><i class="EMPHASIS">all actions
</div>
<div class="SECT3">
- <h3 class="SECT3"><a name="AEN4881" id="AEN4881">8.7.2.
+ <h3 class="SECT3"><a name="AEN4913" id="AEN4913">8.7.2.
default.action</a></h3>
<p>If you aren't a developer, there's no need for you to edit the
</div>
<div class="SECT3">
- <h3 class="SECT3"><a name="AEN4994" id="AEN4994">8.7.3.
+ <h3 class="SECT3"><a name="AEN5026" id="AEN5026">8.7.3.
user.action</a></h3>
<p>So far we are painting with a broad brush by setting general
</div>
<div class="SECT2">
- <h2 class="SECT2"><a name="AEN5870" id="AEN5870">14.2. Privoxy's
+ <h2 class="SECT2"><a name="AEN5902" id="AEN5902">14.2. Privoxy's
Internal Pages</a></h2>
<p>Since <span class="APPLICATION">Privoxy</span> proxies each
<ul>
<li>
- <p>Privoxy main page:</p><a name="AEN5884" id="AEN5884"></a>
+ <p>Privoxy main page:</p><a name="AEN5916" id="AEN5916"></a>
<blockquote class="BLOCKQUOTE">
<p><a href="http://config.privoxy.org/" target=
<li>
<p>Show information about the current configuration, including
- viewing and editing of actions files:</p><a name="AEN5892" id=
- "AEN5892"></a>
+ viewing and editing of actions files:</p><a name="AEN5924" id=
+ "AEN5924"></a>
<blockquote class="BLOCKQUOTE">
<p><a href="http://config.privoxy.org/show-status" target=
</li>
<li>
- <p>Show the source code version numbers:</p><a name="AEN5897" id=
- "AEN5897"></a>
+ <p>Show the source code version numbers:</p><a name="AEN5929" id=
+ "AEN5929"></a>
<blockquote class="BLOCKQUOTE">
<p><a href="http://config.privoxy.org/show-version" target=
</li>
<li>
- <p>Show the browser's request headers:</p><a name="AEN5902" id=
- "AEN5902"></a>
+ <p>Show the browser's request headers:</p><a name="AEN5934" id=
+ "AEN5934"></a>
<blockquote class="BLOCKQUOTE">
<p><a href="http://config.privoxy.org/show-request" target=
</li>
<li>
- <p>Show which actions apply to a URL and why:</p><a name="AEN5907"
- id="AEN5907"></a>
+ <p>Show which actions apply to a URL and why:</p><a name="AEN5939"
+ id="AEN5939"></a>
<blockquote class="BLOCKQUOTE">
<p><a href="http://config.privoxy.org/show-url-info" target=
<span class="QUOTE">"off"</span>, <span class=
"QUOTE">"Privoxy"</span> continues to run, but only as a
pass-through proxy, with no actions taking place:</p><a name=
- "AEN5915" id="AEN5915"></a>
+ "AEN5947" id="AEN5947"></a>
<blockquote class="BLOCKQUOTE">
<p><a href="http://config.privoxy.org/toggle" target=
"_top">http://config.privoxy.org/toggle</a></p>
</blockquote>
- <p>Short cuts. Turn off, then on:</p><a name="AEN5919" id=
- "AEN5919"></a>
+ <p>Short cuts. Turn off, then on:</p><a name="AEN5951" id=
+ "AEN5951"></a>
<blockquote class="BLOCKQUOTE">
<p><a href="http://config.privoxy.org/toggle?set=disable" target=
"_top">http://config.privoxy.org/toggle?set=disable</a></p>
- </blockquote><a name="AEN5922" id="AEN5922"></a>
+ </blockquote><a name="AEN5954" id="AEN5954"></a>
<blockquote class="BLOCKQUOTE">
<p><a href="http://config.privoxy.org/toggle?set=enable" target=
</dl>
</div>
</div>
+
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="ENABLE-PROXY-AUTHENTICATION-FORWARDING"
+ id="ENABLE-PROXY-AUTHENTICATION-FORWARDING">7.4.9.
+ enable-proxy-authentication-forwarding</a></h4>
+
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+
+ <dd>
+ <p>Whether or not proxy authentication through <span class=
+ "APPLICATION">Privoxy</span> should work.</p>
+ </dd>
+
+ <dt>Type of value:</dt>
+
+ <dd>
+ <p>0 or 1</p>
+ </dd>
+
+ <dt>Default value:</dt>
+
+ <dd>
+ <p>0</p>
+ </dd>
+
+ <dt>Effect if unset:</dt>
+
+ <dd>
+ <p>Proxy authentication headers are removed.</p>
+ </dd>
+
+ <dt>Notes:</dt>
+
+ <dd>
+ <p>Privoxy itself does not support proxy authentication, but
+ can allow clients to authenticate against Privoxy's parent
+ proxy.</p>
+
+ <p>By default Privoxy (3.0.21 and later) don't do that and
+ remove Proxy-Authorization headers in requests and
+ Proxy-Authenticate headers in responses to make it harder for
+ malicious sites to trick inexperienced users into providing
+ login information.</p>
+
+ <p>If this option is enabled the headers are forwarded.</p>
+
+ <p>Enabling this option is <span class="emphasis"><i class=
+ "EMPHASIS">not recommended</i></span> if there is no parent
+ proxy that requires authentication or if the local network
+ between Privoxy and the parent proxy isn't trustworthy. If
+ proxy authentication is only required for some requests, it is
+ recommended to use a client header filter to remove the
+ authentication headers for requests where they aren't
+ needed.</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
</div>
<div class="SECT2">
controlled easily with a web browser.</p>
<div class="SECT2">
- <h2 class="SECT2"><a name="AEN1074" id="AEN1074">6.1. Controlling
+ <h2 class="SECT2"><a name="AEN1078" id="AEN1078">6.1. Controlling
Privoxy with Your Web Browser</a></h2>
<p><span class="APPLICATION">Privoxy</span>'s user interface can be
</pre>
- <h2 class="BRIDGEHEAD"><a name="AEN1082" id=
- "AEN1082"></a> Privoxy Menu</h2>
+ <h2 class="BRIDGEHEAD"><a name="AEN1086" id=
+ "AEN1086"></a> Privoxy Menu</h2>
+ <pre>
+</pre>
<table border="0">
<tbody>
started.</p>
<div class="SECT2">
- <h2 class="SECT2"><a name="AEN5149" id="AEN5149">9.1. Filter File
+ <h2 class="SECT2"><a name="AEN5181" id="AEN5181">9.1. Filter File
Tutorial</a></h2>
<p>Now, let's complete our <span class="QUOTE">"foo"</span> content
2001-2013 by <a href="http://www.privoxy.org/" target="_top">Privoxy
Developers</a></sub><br></p>
- <p class="PUBDATE">$Id: user-manual.sgml,v 2.173 2013/03/01 17:44:24
+ <p class="PUBDATE">$Id: user-manual.sgml,v 2.174 2013/03/02 14:39:24
fabiankeil Exp $<br></p>
<div>
<dd>
<dl>
- <dt>6.1. <a href="configuration.html#AEN1074">Controlling Privoxy
+ <dt>6.1. <a href="configuration.html#AEN1078">Controlling Privoxy
with Your Web Browser</a></dt>
<dt>6.2. <a href="configuration.html#CONFOVERVIEW">Configuration
<dt>7.4.8. <a href=
"config.html#BUFFER-LIMIT">buffer-limit</a></dt>
+
+ <dt>7.4.9. <a href=
+ "config.html#ENABLE-PROXY-AUTHENTICATION-FORWARDING">enable-proxy-authentication-forwarding</a></dt>
</dl>
</dd>
<dd>
<dl>
- <dt>8.1. <a href="actions-file.html#AEN2925">Finding the Right
+ <dt>8.1. <a href="actions-file.html#AEN2957">Finding the Right
Mix</a></dt>
- <dt>8.2. <a href="actions-file.html#AEN2932">How to Edit</a></dt>
+ <dt>8.2. <a href="actions-file.html#AEN2964">How to Edit</a></dt>
<dt>8.3. <a href="actions-file.html#ACTIONS-APPLY">How Actions
are Applied to Requests</a></dt>
<dd>
<dl>
- <dt>8.4.1. <a href="actions-file.html#AEN3044">The Domain
+ <dt>8.4.1. <a href="actions-file.html#AEN3076">The Domain
Pattern</a></dt>
- <dt>8.4.2. <a href="actions-file.html#AEN3120">The Path
+ <dt>8.4.2. <a href="actions-file.html#AEN3152">The Path
Pattern</a></dt>
<dt>8.4.3. <a href="actions-file.html#TAG-PATTERN">The Tag
"actions-file.html#SET-IMAGE-BLOCKER">set-image-blocker</a></dt>
<dt>8.5.35. <a href=
- "actions-file.html#AEN4795">Summary</a></dt>
+ "actions-file.html#AEN4827">Summary</a></dt>
</dl>
</dd>
<dd>
<dl>
<dt>8.7.1. <a href=
- "actions-file.html#AEN4859">match-all.action</a></dt>
+ "actions-file.html#AEN4891">match-all.action</a></dt>
<dt>8.7.2. <a href=
- "actions-file.html#AEN4881">default.action</a></dt>
+ "actions-file.html#AEN4913">default.action</a></dt>
<dt>8.7.3. <a href=
- "actions-file.html#AEN4994">user.action</a></dt>
+ "actions-file.html#AEN5026">user.action</a></dt>
</dl>
</dd>
</dl>
<dd>
<dl>
- <dt>9.1. <a href="filter-file.html#AEN5149">Filter File
+ <dt>9.1. <a href="filter-file.html#AEN5181">Filter File
Tutorial</a></dt>
<dt>9.2. <a href="filter-file.html#PREDEFINED-FILTERS">The
<dt>14.1. <a href="appendix.html#REGEX">Regular
Expressions</a></dt>
- <dt>14.2. <a href="appendix.html#AEN5870">Privoxy's Internal
+ <dt>14.2. <a href="appendix.html#AEN5902">Privoxy's Internal
Pages</a></dt>
<dd>
"GUIBUTTON">Edit</span>"</span>:</p>
<div class="FIGURE">
- <a name="AEN850" id="AEN850"></a>
+ <a name="AEN854" id="AEN854"></a>
<p><b>Figure 1. Actions Files in Use</b></p>
protocols.</p>
<div class="FIGURE">
- <a name="AEN905" id="AEN905"></a>
+ <a name="AEN909" id="AEN909"></a>
<p><b>Figure 2. Proxy Configuration Showing Mozilla/Netscape HTTP and
HTTPS (SSL) Settings</b></p>
only HTTP and HTTPS (SSL)!</p>
<div class="FIGURE">
- <a name="AEN950" id="AEN950"></a>
+ <a name="AEN954" id="AEN954"></a>
<p><b>Figure 3. Proxy Configuration Showing Internet Explorer HTTP and
HTTPS (Secure) Settings</b></p>
Release</a></h1>
<p><span class="APPLICATION">Privoxy 3.0.21</span> stable is a bug-fix
- release for Privoxy 3.0.20 beta. It also addresses a security issue that
- affects all previous Privoxy versions (on some platforms). The changes
- since 3.0.20 beta are:</p>
+ release for Privoxy 3.0.20 beta. It also addresses two security issues
+ that affect all previous Privoxy versions. The changes since 3.0.20 beta
+ are:</p>
<ul>
<li>
limit to be reached.</p>
</li>
+ <li>
+ <p>Proxy authentication headers are removed unless the new
+ directive enable-proxy-authentication-forwarding is used.
+ Forwarding the headers potentionally allows malicious sites to
+ trick the user into providing it with login information. Reported
+ by Chris John Riley.</p>
+ </li>
+
<li>
<p>Compiles on OS/2 again now that unistd.h is only included on
platforms that have it.</p>
<p>Unblock '.advrider.com/' and '/.*ADVrider'. Anonymously
reported in #3603636.</p>
</li>
+
<li>
- <p>Stop blocking '/js/slider\.js'.
- Reported by Adam Piggott in #3606635 and _lvm in #2791160.</p>
+ <p>Stop blocking '/js/slider\.js'. Reported by Adam Piggott in
+ #3606635 and _lvm in #2791160.</p>
</li>
</ul>
</li>