-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add $removeheader modifier support #1427
Comments
Once this task is completed, we should also:
|
Maybe the following:
|
Yep, sounds good. Please edit the spec accordingly. |
It's not mentioned in the spec, but should we provide a way to negate such rules only for requests or responses? But with the current syntax, we cannot provide the same possibility for responses. |
I suppose negating ALL |
@ameshkov not able to remove: |
@dnmTX well, removing headers won't help you control WebSockets. Blocking them is easy already (something like this: |
I would also suggest allowing blocking ANY header in the user filter atleast. If a user manually lowers their security, it's their responsibilitiy, not yours. I specifically got Adguard because it did not take away my decisions of what is "safe" and what isn't For anyone else who want's full control over their traffic: https://alternativeto.net/software/requestly/about/ https://app.requestly.io/rules/#sharedList/1673471223673-Strip-Restricting-Headers |
$removeheader
Rules with
$removeheader
modifier are intended to remove headers from HTTP requests and responses. The initial motivation for this rule type is to be able to get rid of theRefresh
header which is often used to redirect users to an undesirable location. However, this is not the only case where this modifier can be useful.Just like
$csp
,$redirect
,$removeparam
, and$cookie
, this modifier exists independently, rules with it do not depend on the regular basic rules, i.e. regular exception or blocking rules will not affect it. By default, it only affects response headers. However, you can also change it to remove headers from HTTP requests as well.Syntax
Basic syntax
||example.org^$removeheader=header-name
-- removes a response header calledheader-name
||example.org^$removeheader=request:header-name
-- removes a request header calledheader-name
Please note, that
$removeheader
is case-insensitive, but we suggest always use lower case.Negating $removeheader
This type of rules works pretty much the same way it works with
$csp
and$redirect
modifiers.Use
@@
to negate$removeheader
:@@||example.org^$removeheader
-- negates all$removeheader
rules for URLs that match||example.org^
.@@||example.org^$removeheader=header
-- negates the rule with$removeheader=header
for any request matching||example.org^
.$removeheader
rules can also be disabled by$document
and$urlblock
exception rules. But basic exception rules without modifiers don't do that. For example,@@||example.com^
will not disable$removeheader=p
for requests toexample.com
, but@@||example.com^$urlblock
will.Restrictions
$removeheader
cannot remove headers from the list below:access-control-allow-origin
access-control-allow-credentials
access-control-allow-headers
access-control-allow-methods
access-control-expose-headers
access-control-max-age
access-control-request-headers
access-control-request-method
origin
timing-allow-origin
allow
cross-origin-embedder-policy
cross-origin-opener-policy
cross-origin-resource-policy
content-security-policy
content-security-policy-report-only
expect-ct
feature-policy
origin-isolation
strict-transport-security
upgrade-insecure-requests
x-content-type-options
x-download-options
x-frame-options
x-permitted-cross-domain-policies
x-powered-by
x-xss-protection
public-key-pins
public-key-pins-report-only
sec-websocket-key
sec-websocket-extensions
sec-websocket-accept
sec-websocket-protocol
sec-websocket-version
p3p
sec-fetch-mode
sec-fetch-dest
sec-fetch-site
sec-fetch-user
referrer-policy
content-type
content-length
accept
accept-encoding
host
connection
transfer-encoding
upgrade
$removeheader
rules are not compatible with any other modifiers except$domain
,$third-party
,$app
,$important
,$match-case
and content type modifiers (e.g.$script
,$stylesheet
, etc). The rules which have any other modifiers are considered invalid and will be discarded.Examples
||example.org^$removeheader=refresh
- removesRefresh
header from all HTTP responses returned byexample.org
and it's subdomains.||example.org^$removeheader=request:x-client-data
- removesX-Client-Data
header from all HTTP requestsRefresh
andLocation
headers from all HTTP responses returned byexample.org
save for requests toexample.org/path/*
for which no headers will be removed.The text was updated successfully, but these errors were encountered: