I was doing some investigating of various browser telemetry using android pcap log. I noticed that on any browser I install bypass paywall plus there is a call to gitflic.ru when viewing a page even when it’s not on the list of processed websites in the extension. I can’t tell the contents as it’s https. Considering this extension and developer have been around for a long time I’ve no reason to suspect the extension but I’m wondering why the connection? I doubt it’s checking for updates as it does it often when viewing any page. Any thoughts from anyone? I’m not trying to run down the app at all, I think it’s really good, just wondering why the connection.
I took a cursory glance through the source code (for the Firefox version, at least), and I’m not seeing any calls to the gitflic.ru URL outside of the update functions (there appear to be two different places where these might be triggered) and one function for importing custom sites:
I noticed in the manifest.json, there is the optional permissions array:
"optional_permissions":["*://*/*"],
Which seems to grant the extension access to all URLs, so maybe that’s why the HTTP request is able to fire on any given website rather than just the ones explicitly defined in the regular permissions array. Though this is speculation on my part; I’ve only ever written one or two complex Firefox extensions. I’m not sure if the “optional permissions” array can be declined upon installation (or configured in the extension settings after installation); perhaps access to the wildcard URL can be revoked so that this update call isn’t occurring constantly.
All looks okay to me, but this was a very quick audit.
Ok, it does look like it’s checking for list updates, just more often.l than I expected. I went into the settings and disabled as below and the calls stop. So all good!
“check update opt-in
Check for update of version (on startup and when opening options):
check update enabled: NO”
I was doing some investigating of various browser telemetry using android pcap log. I noticed that on any browser I install bypass paywall plus there is a call to gitflic.ru when viewing a page even when it’s not on the list of processed websites in the extension. I can’t tell the contents as it’s https. Considering this extension and developer have been around for a long time I’ve no reason to suspect the extension but I’m wondering why the connection? I doubt it’s checking for updates as it does it often when viewing any page. Any thoughts from anyone? I’m not trying to run down the app at all, I think it’s really good, just wondering why the connection.
I took a cursory glance through the source code (for the Firefox version, at least), and I’m not seeing any calls to the gitflic.ru URL outside of the update functions (there appear to be two different places where these might be triggered) and one function for importing custom sites:
// Import custom sites from local/online function import_url_options(e, online) { let url = '/custom/sites_custom.json'; if (online) url = 'https://gitflic.ru/project/magnolia1234/bpc_updates/blob/raw?file=sites_custom.json' + '&rel=' + randomInt(100000); try { fetch(url) .then(response => { if (response.ok) { response.text().then(result => { import_json(result); }) } }); } catch (err) { console.log(err); } }I noticed in the manifest.json, there is the optional permissions array:
"optional_permissions": [ "*://*/*" ],Which seems to grant the extension access to all URLs, so maybe that’s why the HTTP request is able to fire on any given website rather than just the ones explicitly defined in the regular permissions array. Though this is speculation on my part; I’ve only ever written one or two complex Firefox extensions. I’m not sure if the “optional permissions” array can be declined upon installation (or configured in the extension settings after installation); perhaps access to the wildcard URL can be revoked so that this update call isn’t occurring constantly.
All looks okay to me, but this was a very quick audit.
Ok, it does look like it’s checking for list updates, just more often.l than I expected. I went into the settings and disabled as below and the calls stop. So all good!
“check update opt-in Check for update of version (on startup and when opening options): check update enabled: NO”
Many thanks for checking this. When I used the following setting in the extension I didn’t see any further calls.
“check update opt-in Check for update of version (on startup and when opening options): check update enabled: NO”