0.7.1

[joshrmcdaniel]

• Fix WebSocket / protocol-upgrade connections hanging
  • Upgrade requests (wss://, and proprietary HTTP-upgrade transports like MMTLS long-link) could spin forever with upgrade expected but not completed. The proxy fabricated a 101 Switching Protocols to the client regardless of what the upstream actually returned, so a failed upgrade left the client waiting on a tunnel that was never bridged. It now forwards the upstream's real response when it isn't a genuine 101, and the dedicated upgrade HTTP client gained the same connection hardening (connect_timeout, tcp_keepalive, no idle pooling) as the main client.
  • Excluded hosts performing a plain-HTTP protocol upgrade are now blind-tunneled at the TCP level instead of being run through the (HTTP-only) upgrade bridge, so MITM-excluded apps using non-HTTP upgrade protocols work. Previously the exclusion list was only consulted on the CONNECT path, so excluding such a host had no effect on its plain-HTTP upgrade traffic.
  • When an opaque (non-WebSocket) upgrade is seen for a host that is not excluded, a warning is logged naming the host and suggesting it be added to the exclusions, instead of failing cryptically.
• Validate filter lists when added
  • Adding a filter now rejects URLs that do not serve a text/plain filter list (e.g. an HTML error/landing page returned with a 200) with a 422, instead of silently saving a broken filter. The error is surfaced in the web UI, and filters whose URL stops serving a list are dropped from the engine with a warning on the next refresh.
• Fix proxied requests randomly hanging/timing out
  • The outbound HTTP client had no connection timeouts, so a pooled keep-alive connection silently dropped by the remote would be reused and block until the OS TCP timeout (minutes). Added connect_timeout, pool_idle_timeout, and tcp_keepalive.
• DNS-over-HTTPS (DoH) interception
  • Detects DoH requests passing through the MITM proxy (RFC 8484 application/dns-message, JSON DoH, and known resolver endpoints)
  • block mode (default) refuses DoH so fallback-mode clients (e.g. default Firefox) revert to the system resolver, which Privaxy already sees — the HTTP-layer equivalent of the use-application-dns.net canary a non-DNS proxy cannot serve
  • redirect mode transparently forwards queries to a configured upstream resolver
  • Configured under [network.doh] (mode, upstream, extra_hosts) or from the web UI under Settings → General; MITM-excluded hosts are left untouched
• Fix cookie not invalidating upon logout/cred change
• All four engine-matching call sites now use match_url (canonical, default port stripped); the outbound request and stats still use the raw uri with its port, so nothing about proxying changes. This was silently breaking every hostname-anchored (||host/path) network rule on every HTTPS site
• Update ublock annoyances url
• Add support for MIPS, MIPSLE
• Injected uBlock scriptlets now actually run
  • Even after the 0.7.0 scriptlet repair, every injected ##+js(...) scriptlet was a silent no-op. adblock-rust emits scriptlet bodies that reference an ambient scriptletGlobals object (uBlock Origin supplies it in its own injector; adblock-rust leaves it to the embedder), so the first internal call threw ReferenceError: scriptletGlobals is not defined, which each scriptlet's own try/catch swallowed. Privaxy now defines scriptletGlobals at the top of the injected payload, so abort-current-script, prevent-addEventListener, abort-on-property-read, set-cookie, etc. take effect.
• Procedural cosmetic filtering
  • Non-CSS procedural filters are no longer dropped (previously only filters reducible to plain CSS were applied). :has-text, :matches-css/-before/-after, :matches-attr, :matches-path, :min-text-length, :upward, :xpath, and the :remove()/:style()/remove-attr/remove-class actions are now evaluated in-page by an injected shim.
  • The shim re-runs on DOM mutations and recurses into same-origin child frames (about:blank/srcdoc/data: with allow-same-origin), so ad content written into such frames after load is also matched. Cross-origin frames and closed shadow DOM remain out of reach.
• Scriptlet error logging (debugging)
  • New opt-in debug.scriptlet_console_logging (off by default), toggleable from Settings → Debug, surfaces errors thrown by injected scriptlets in the page console as [privaxy scriptlet] entries instead of swallowing them.
• Live log streaming in the web UI
  • Settings → Debug now shows the server's log output in real time
  • The level can be changed in the webui
• Fix cosmetic "modified responses" statistic undercount
  • Pages where only element-hiding (display: none) selectors were injected were not counted as modified; any injected cosmetic CSS now counts

[zeropath-ai]

✅ No security or compliance issues detected. Reviewed everything up to 53b6102.

Security Overview

• 🔎 Scanned files: 40 changed file(s)
• 🔗 Scan Link: https://zeropath.com/app/repositories/faea5099-3f6a-45e4-b253-e8031a570782?scanId=f1fb5f1e-d84e-42c2-9d17-e4fc61bd8665&codeScanTypes=PrScan&tab=issues

Detected Code Changes

The diff is too large to display a summary of code changes.