Fast forward off many years following the Chrome bandwagon (multi-processes + task manager to kill big pages were a must,) I decided Firefox with its Quantum and webextentions was premature for my next browser .. so I thought I'd give the guys who forked 'good ol' FF and .. there's even that bloody Walnut theme in the repository waiting for me!
I apologise for this sounding like an intro ... however, my addon-shopping experience begins ..
No-script, GreaseMonkey and a Stylish which I got a huge kick out of - remembering how they transformed early Youtube for me in to a beautiful and optimised (for me!) experience maybe the better part of a decade ago. I added a sorta privacy tool to try out called Secret Agent/Stealthy or something rather and it turned out to save my tail .. among a few others, but their choice was moot.
All my non-http traffic started being redirected, the addresses in plaintext logged:
Essentially, 's3blog.org' , some website likely I thought being HTTP originating from malware or an addon - was redirecting, through likely the same method, to prepend every non-HTTPS url as a request to a 'crvtck' dot com, what seemed like a sort of C&C for all I know. Someone had an issue with this website before and an extension called NEnhancer for Netflix, however that thread died and I had no such extension:
https://forums.majorgeeks.com/threads/n ... re.308434/
So .. I pop open a grep, and look for that addresses in my user folder ... nada. With time to kill, I start looking through the extensions, and decide it is so repeatable that I just disabled addon after addon (oh thank goodness for the 'restart manager' addon letting me reload the browser with non-https pages to test this!) and found it was S3 download bar manager I stooped in to getting, reminded of a nostalgic download manager that'd fill my status bar with joy as a young one .. I digress.
I just end up dumping the .xpi archive with 7-zip and sort by date, and find the donkey:
Essentially, a few obviously recently modified files, probably from a hijacked plugin/port to pale moon/'desperation from the author'/who knows?
Turns out the plugin gives a dirty 'opt out' page, where there is nothing implied, and you must 'not support the author' .. to perhaps kill the redirecting:
The red button, it seems, is your 'non-consent' .
"If user consent is given, this add-on will show advertising on web pages.
In that case, the user's browsing history can be accessed by a third party (ad network).
But we don't collect cookies, password, e-mails or any other confidential info.
Only the domains (not full URLs) of the web-sites visited and nothing else."
In other words... 'We hijack and potentially inject malicious scripts from 3rd party advertisers on to every non-secured web page, but we ourselves we honestly honestly don't collect full addresses or nothing else!"
So... opt-out HTTP hijacking? Or did I just waste my time? Or am I a clueless edge-case user? But who would honestly do what I did? If I wanted to hand out my domains browsed, I'd pop back to Google Chrome.. I'd even trust them more with them.