init 1.0

.gitignore

@@ -0,0 +1 @@
+node_modules/

LICENSE.md

@@ -0,0 +1,25 @@
+The MIT License (MIT)
+=====================
+
+Copyright © 2021 TensorTom
+
+Permission is hereby granted, free of charge, to any person
+obtaining a copy of this software and associated documentation
+files (the “Software”), to deal in the Software without
+restriction, including without limitation the rights to use,
+copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following
+conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.

PRIVACY.md

@@ -0,0 +1,3 @@
+# Privacy
+
+This extension doesn't collect any personally identifying information from its users.

README.md

@@ -0,0 +1,40 @@
+# HTTP POST Search [Chrome extension]
+
+Chrome extension which replaces insecure GET requests (Like `https://search.com/?query=cat+memes`) of search providers with secure POST requests.
+
+## Motivation
+
+This is a pretty simple yet longstanding problem. We all know that if we visit a site with `https://` in the link, it means our web browser has an encrypted (SSL) connection to the web-site. This is great for securely submitting passwords and other personal data. The problem is, the characters that comprise the URL in a GET request are not private at all.
+
+- POST requests aren't cached by the browser or search history (GET requests are).
+- POST requests on an `https` site are hidden from your ISP (GET requests are not).
+
+## GET & POST Requests?
+
+Let's say Alice visits `https://acmebank.com` where she logs into her bank account. To login, she submits a form on the bank's web-site containing her username and password. When she clicks the login/submit button, her username and password are sent securely to `acmebank.com` because:
+
+-   Login forms traditionally use the HTTP (Over HTTPS) method called POST.
+-   POST requests (Forms) are transmitted to the website via HTTP headers. If the URL starts with `https://`, the POST request is encrypted. No outside entities (Her ISP, governments, etc.) can directly spy on what Alice submitted. If it had instead been a GET request, Alice would see something like this in her address bar after clicking submit: `https://acmebank.com/login/?user=alice&password=monkey123`.
+
+## Search Engines Use GET? WHY!
+
+It doesn't make much sense, does it? Go to just about any search engine, even the privacy-centric ones (DuckDuckGo, Startpage, etc.), and search for `test123`. You'll see that the address in the address-bar now contains your search query (Like `https://www.startpage.com/do/search?query=test123` ). Congrats. You now have zero privacy of your search habits.
+
+### The Conspiracy
+
+I'd take the odds of a conspiracy here. You have a superior programming method which all web developers know to use by default, yet magically:
+
+- All major search engines, including  the privacy-centric ones (DuckDuckGo & Startpage) use GET requests by default.
+- No major web browser, including the privacy-centric one (Brave), supports POST requests for search providers.
+
+It's not like they don't support POST. Both DuckDuckGo and Startpage both support it but it's off by default and not supported by browser search providers. The NSA and British intelligence have clearly infiltrated our search infrastructure.
+
+Hail Hydra (Or don't and use this extension)
+
+## The Simple Solution
+
+The extension monitors your searches in the background. If it sees a GET request being used to search a popular search-engine, it converts it to POST on-the-fly. The extension doesn't keep any records of your search history and can't transmit it anywhere except securely to the engine your searching. Alice's ISP, government, etc. will only see that she visited `https://www.startpage.com/do/search`. Her search query `test123` (And all future searches) is now transmitted securely and privately.
+
+For we who install extensions, problem solved. What about everyone else? Well, there have been massive feature request threads going back several years. I participated in some of them. Here we sit.
+
+### MIT License

background.js

@@ -0,0 +1,59 @@
+
+
+function url_to_queries(_url) {
+	var qd = {};
+	if (_url.search)
+		return _url.search.substr(1).split`&`.forEach((item) => {
+			let [k, v] = item.split`=`
+			v = v && decodeURIComponent(v)
+			(qd[k] = qd[k] || []).push(v)
+		})
+}
+
+
+chrome.webRequest.onBeforeRequest.addListener(
+	function (details) {
+		chrome.tabs.update(details.tabId, {
+			url: chrome.runtime.getURL("search.html"),
+		})
+		
+		var url = new URL(details.url)
+		//let data = url_to_queries()
+		let qel
+		if (url.searchParams.has('q'))
+			qel = 'q'
+		if (url.searchParams.has('query'))
+			qel = 'query'
+		let qval = url.searchParams.getAll(qel)
+		let handler = function (tabId, changeInfo) {
+			if (tabId === details.tabId && changeInfo.status === "complete") {
+				chrome.tabs.onUpdated.removeListener(handler)
+				chrome.tabs.sendMessage(tabId, {
+					data: qval,
+					qel: qel,
+					url: url
+				})
+			}
+		}
+		chrome.tabs.onUpdated.addListener(handler)
+		chrome.tabs.sendMessage(details.tabId, {
+			data: qval,
+			qel: qel,
+			url: url
+		})
+		return { cancel: true }
+	},
+	{
+		urls: [
+			"https://duckduckgo.com/?*q=*",
+			"https://start.duckduckgo.com/?*q=*",
+			"http://duckduckgo.com/?*q=*",
+			"http://start.duckduckgo.com/?*q=*",
+			"http://www.startpage.com/sp/search?*query=*",
+			"http://startpage.com/sp/search?*query=*",
+			"https://www.startpage.com/sp/search?*query=*",
+			"https://startpage.com/sp/search?*query=*"
+		],
+	},
+	["blocking"]
+)

manifest.json

@@ -0,0 +1,32 @@
+{
+   "background": {
+      "persistent": true,
+      "scripts": [ "background.js" ]
+   },
+   "description": "Automatically replaces insecure GET requests of search providers with secure/private POST requests. It even works with searches via the address bar. Just set it and forget it! Source-code is available on Github under MIT License.",
+   "homepage_url": "https://github.com/TensorTom/POST-Search-Privacy",
+   "icons": {
+      "128": "img/icon128.png",
+      "16": "img/icon16.png",
+      "32": "img/icon32.png",
+      "48": "img/icon48.png"
+   },
+   "incognito": "split",
+   "manifest_version": 2,
+   "name": "POST Search Privacy",
+   "permissions": [
+      "http://duckduckgo.com/?*q=*",
+      "https://duckduckgo.com/?*q=*",
+      "http://start.duckduckgo.com/?*q=*",
+      "https://start.duckduckgo.com/?*q=*",
+      "http://www.startpage.com/sp/search?*query=*",
+      "https://www.startpage.com/sp/search?*query=*",
+      "http://startpage.com/sp/search?*query=*",
+      "https://startpage.com/sp/search?*query=*",
+      "tabs",
+      "webRequestBlocking",
+      "webRequest"
+   ],
+   "update_url": "https://clients2.google.com/service/update2/crx",
+   "version": "1.0"
+}

package.json

@@ -0,0 +1,17 @@
+{
+  "name": "http-post-search",
+
+  "version": "1.0.0",
+  "main": "index.js",
+  "repository": "https://github.com/TensorTom/POST-Search-Privacy.git",
+  "author": "Tom A. <14287229+TensorTom@users.noreply.github.com>",
+  "license": "MIT",
+  "scripts": {
+    "clear": "rm -rf dist .cache",
+    "watch": "yarn clear && parcel watch src/{search.html,options.html,background.js} -d dist/src --public-url ./ -t node --bundle-node-modules",
+    "build": "yarn clear && parcel build src/{main.html,options.html,background.js} -d dist/src --public-url ./"
+ }
+  "devDependencies": {
+    "parcel-bundler": "^1.12.4"
+  }
+}

search.html

@@ -0,0 +1,12 @@
+<html>
+	<head>
+		<title>Private search...</title>
+		<meta http-equiv="content-type" content="text/html; charset=utf-8">
+	</head>
+	<body>
+		<h1>Private search...</h1>
+		<form method="POST" action="" id="post-search" name="post-search">
+		</form>
+		<script src="search.js"></script>
+	</body>
+</html>

search.js

@@ -0,0 +1,22 @@
+var onMessageHandler = function(msg) {
+	console.log('test')
+	console.log(msg)
+	chrome.runtime.onMessage.removeListener(onMessageHandler)
+	if (msg.hasOwnProperty('data') && msg.hasOwnProperty('qel')) {
+		var hin = document.createElement("input")
+		hin.type = "hidden"
+		hin.name = msg.qel
+		hin.id = msg.qel
+		hin.value = msg.data[0]
+		let frm = document.getElementById("post-search")
+		frm.appendChild(hin)
+		frm[msg.qel].value = msg.data[0]
+		let url = new URL(msg.url)
+		frm.action = url.origin + url.pathname
+		console.log(url.origin + url.pathname)
+		frm.submit()
+	}
+	
+}
+
+chrome.runtime.onMessage.addListener(onMessageHandler)