NotHereToPlayGames

ported Humming Owl's v12 "shared.ydstatic.com", "95001111", "googleapis" and "gstatic" entries by dots -- have not tested remainder of entries in Humming Owl's list has already been replaced (or did not exit in v13).

Do you recall why the below section was replaced for v12? - Offset (h) = 02bc54a0 Replaced the "68 74 74 70 3A 2F 2F 73 6F 2E 33 36 30 2E 63 6E 2F 73 3F 71 3D 25 73 26 73 72 63 3D 33 36 30 63 68 72 6F 6D 65 5F 61 64 64 72 26 69 65 3D 75 74 66 2D 38 00 68 74 74 70 3A 2F 2F 77 77 77 2E 62 61 69 64 75 2E 63 6F 6D 2F 62 61 69 64 75 3F 77 6F 72 64 3D 25 73 00 68 74 74 70 3A 2F 2F 63 6E 2E 62 69 6E 67 2E 63 6F 6D 2F 73 65 61 72 63 68 3F 71 3D 25 73 00 26 69 65 3D 00 26 75 65 3D" hexadecimal code by 00 hexadecimal values

removed adfilter exceptions (adfilter functionality already disabled but now exceptions list is empty) (see Humming Owl's notes) removed default search engines (see Humming Owl's notes)

Settings - UI Style functionality has already been broken, removed more items (see Humming Owl's notes), removed from GUI

Thanks!

Disregard. This "might" be related to Settings - Advanced -> HTTPS/SSL -> intercept certificate risk option (I don't use this option but at the same time am mindful to not "break" any options that I don't use but that others may opt to use).

Settings - Basics removed and disabled search engine built-in fallback (see Humming Owl's notes)

I've also opted to remove the root directory sslblock.zip. This was used in earlier versions but I have yet to witness this page ever be displayed in v13. From the best I can gather, all ssl cert errors are displayed via clicking the padlock icon in v13's address bar. That and as far as lightweight, fast, and efficient, I'm content with just the ssl error code in the title bar and a completely blank page in the content area. My only way of really testing has been this site -- https://badssl.com/

I just ran an SRWare Iron v48 (could not find a v49) first-run and saw two Google connections and one Microsoft connection all within 10 seconds of launch. Then it proceeded to connect to some Google Translate IP Addresses when navigating around in the settings pages. At that point, I exited because this has become a total and complete waste of time in my view. And I may have missed a few because I had to set the startup page to about:blank - which should be the out-of-the-box default for ALL browsers (you can't really catch all startup shenanigans when it is loading a "default page"). We really are blowing this single solitary gstatic connection way out of proportion. Because EVERYTHING that I have looked at shows us to have 360Chrome down to one single solitary gstatic connection with no unique identifier of any kind and every other browser on the planet is making SEVERAL "connections" that nobody seems to really even care about. No offense guys, as I've reported over and over, this project isn't about compiling Iron 2.0 (but we can't call it that now, Iron makes first-run connections also!), it is about creating a browser we can "trust". We will never satisfy the Archie McPhee Tin Foil Hat crowd. I wholly and fully "trust" 360Chrome - even moreso after watching connections being made by other browsers whose user-base just trusts them blindly without question.

There's a search feature? <just joking...> The maintenance caught me offguard, lost a fairly lengthy in-process post but it is what it is

I wasn't surprised, to be honest. I used to use Comodo Firewall and setting up rules for Firefox was always very tricky and time-consuming (unless you just wanted to tell Comodo to "trust" Firefox, which was never my route!). Firefox has always done some very strange stuff on startup. They conducted their test in a similar fashion to how I tend to - NO STARTUP PAGE (it's tricky to isolate first-run shenanigans if you throw a startup page into the frey), no profile, launch and let it sit there for TEN MINUTES without opening anything, don't go to any web site, don't open any settings page, don't click anywhere, just let it SIT THERE. Then click around in the GUI while still monitoring net traffic. Then close and relaunch and continue to monitor net traffic. My 360Chrome v13 build 2206 only has the ONE gstatic connection and it has no unique identifiers that I can find (I welcome anybody to screencap evidence to the contrary because that would shift priorities). But just citing its presence is kinda propaganda, smear tactics, undo paranoia, you can decide for yourselves how to "label" it. I myself (until proven otherwise) find it not only HARMLESS, but it's been there for DECADES in all Chromium builds. Again, I am of the persuasion that IF it was NOT harmless, then there would have been a hanging in the town square and the revolution would have been televised. Or something like that...

A must-read for everybody following this "gstatic" connection in 360Chrome -- https://brave.com/popular-browsers-first-run/ Firefox v86 made 2,799 network requests to 8 domains on its first-run, 9 telemetry requests were made, 3 telemetry requests were made 10 minutes after Firefox was closed, new requests were made on second-run. The writeup also discusses Chrome v89 (cites 91 network requests) and reports no observed personal information or unique identifiers. I'm finding the ONE solitary first-run-only gstatic connection to be HARMLESS and won't be spending time on my end to axe it. I will port any findings to my rebuild but I'm seeing it as HARMLESS and "excessive paranoia" - time to put on our Archie McPhee Tin Foil Hat. I don't deny that the article is a Brave "marketing" writeup, but at the same time they would be "tarred and feathered" for any false and misleading "propaganda".

i can hereby confirm that the --no-first-run switch does NOT prevent that first-run gstatic connection (only tested in v13 build 2206). Nor does it effect startup time for the first launch after a reboot (which for me is generally right around 5.5sec versus 0.4sec for every launch thereafter). [MyPal, NM, and Basilisk also have this first-launch-after-reboot lag, possibly a side-effect to running all as "portable".]

re: --no-first-run From what I have read, I have very low expectations on this command line switch and would not chase the rabbit down this rabbit hole. The "first run" that this command line switch entails is more along the lines of the "welcome" page which 360Chrome does not employ anyway (though it might "coincidentally" break that v11 first-run popup for selecting theme). I'll be confirming later but again, this switch is all about that "welcome" page that orginal Chrome/Chromium will display on first run. Not saying with full certainty that it will not fix that first-run gstatic, but I have very low expectations at this point.

I have a very VERY strong hunch that this was simply an "accident" and that the developers of 360Chrome did not test in xp x86 sp2 and have zero interest in xp x86 sp2. I have an equally strong hunch that the developers also did not test in win 2000, win 98, win 95, or win 3.1 and nor did they test on a Commodore 64 or VIC-20.

Do you have additional details on the googleapis and gstatic modifications?

Okay, I decided to put my money where my mouth is. I think you'll agree this to be proof. We know that UA-CH did not exist in Chrome 80 and we know that UA-CH is enabled by default in Chrome 92. html5test.com gives that "imitates" in the results for Chrome 80 and for Chrome 92 - has nothing to do with UA-CH (which I "think" was your claim, not sure? I can't follow your posts at times). And as my geometry teacher used to say -- Q. E. D.

Actually, since you requested I run a test, I'll submit a test in return. We know that UA-CH started with Chromium 84 (some sites report 85 but I see several that cite 84, so worst case we will call it 84). So here is a test for you - run that html5test (which I personally think is flawed, but I don't have much experience with it) using Chromium/Chrome EIGHTY and fake a Firefox user agent. My hunch (I welcome you to screencap proof that I am wrong) is that running that "test" using Chrome 80 and faking a Firefox user agent will give you that "imitates" result - so it has nothing to do with UA-CH, would you agree?

You seem to be confused on just what UA-CH does (or I am?) The agenda of UA-CH is to BYPASS the user agent completely. Detection based on UA-CH would detect your true browser REGARDLESS of whether you were faking a user agent or not. The html5 detected the faked user agent, so it has nothing to do with UA-CH, the "imitates" can be due to a hundred different things, various "combinations" that throw out the word "imitates" when Condition A plus Condition B is met. The whole agenda has very little to do with "privacy" or "telemetry" - though I would classify you as a bit more "extremist/alarmist" than I would classify myself. "Not that there's anything wrong with that." (A Seinfeld reference.) The purpose is for the website to know if you are on a MOBILE device versus a DESKTOP and to send the proper code for a proper rendering. If they succeed in rolling out this platform (way too early, not even sure if it exists "in the wild yet", just 'on paper') then those of us that FAKE user agent strings to FORCE a "heavy" web site to send us code based on less "hungry" javascript, as an example, will no longer be able to do that. The website will DETECT our TRUE "fingerprint" regardless of what we tried to FAKE by using the very old and everybody-knows-it "trick" of sending a FALSE user agent string. That's my understanding thus far at least. I'd be more than happy to read any respectable website link you may have that may indicate otherwise. The html5 test doesn't show me what I need to see as "proof". A "real" test that proves UA-CH is in fact "functioning and enabled" would be a test that reports "You faked your user agent to tell me you are Firefox on Linux, but I know better, you are really Chrome 86 on Win XP x64". Just catching XP x64 would really prove an advance to me, as almost all of these "test sites" including html5test.com refers to my XP x64 as Windows Server 2003. So that alone tells me that html5test isn't very "advanced".

Also as an FYI -- UA-hints does not function (by default) in 360Chrome v13 build 2206. The User-Agent Client Hints became available with Chromium 84 and was gradually enabled on Chrome Stable as each release became available. In Chromium 84, it was disabled by default and you had to enable it with this flag -- about://flags/#enable-experimental-web-platform-features The feature was not enabled by default until the release of Chromium 89. Reminder - 360Chrome v13 is based on Chromium 86 and is thusly disabled by default. Below are screencap's from a test site that demonstrates if you have this feature enabled or not (I pulled the enabled via Chrome 92 from Win 7 VM). The key section to look at is the "Subsequent Request" being empty after we sent an "Accept-CH" header. And of course I shouldn't have to remind everyone that you are protected even further by only allowing white-listed javascript.

As a quick status update, I am targeting this weekend for a "rebuild #3" upload (v13 build 2206 rebuild 3). I didn't techincally do this one as a modification of "rebuild #2" but rather as a complete redo from the ground up from experiences gained in rebuilding several other build versions (ie, when we were testing on XP x86 SP2). I used portions of @Humming Owl's list of modifications and this has lead to a slightly different path (which may or may not be reverted, undecided at this point). One such change completely removes the Avatar context menu. There's two routes we can take with the Avatar context menu. That menu is mainly used for logging into a 360 Account (which we intentionally remove all functionality thereof). @Humming Owl's method to remove the 360 Account login function also completely removes this Avatar context menu, not just the 360 Account aspects but the entire context menu. For now, I went with this route also - it is "easiest" (by far) and I never really use the Avatar context menu. But there is an alternative route - we could keep the Avatar context menu, remove only the actual 360 Account aspects, and build that Avatar context menu into anything we want (links to History, Downloads, JavaScript console, Task Manager, link to MSFN 360Chrome general discussion thread, View page source, various chrome URLs, the list is endless). I am actually leaning towards turning that Avatar context menu into a list of chrome URLs -- for reference - https://www.ghacks.net/2012/09/04/list-of-chrome-urls-and-their-purpose/

Agreed! I boycott Facebook but people that are ADDICTED to it "don't care" that Facebook knows more about them then their own MOTHER knows about them. I'm aware of the history and Firefox is doing something similar, don't know the how's and the where's but I assure you that it is being done "somewhere" - and not just by "user agent". Because, and I personally don't understand it, but it's because "they" (Firefox, Chrome, Safari, Edge, Opera - they ALL do it!) think that "market share statistics" are somehow "important" or somehow actually "mean something". It's a meaningless statistic - there's the ol' adage ---- There are three types of lies -- lies, d@mn lies, and statistics. WTFC about a web brower's "market share"? Does it "really" mean anything? I have EIGHT comptuers and every one of them has 360Chrome v13 build 2206 and MyPay v27.9.4 on them, some have Basilisk, some have NM 27, some have NM 28. Am I being "bean-counted" EIGHT times for 360Chrome and MyPal? Even if 360Chrome gets used 90% of the time and MyPal only gets used 10% of the time? Like I say, "they" do it because "they" have the false impression that "market share" not only "means something", but that it is so vastly important that they should spend millions trying to gauge it and collect first-run data, user-agent data, et cetera, and place "The Great Supercomputer Deep Thought" (Hitchhiker's Guide to the Galaxy) in a dark corner for 7.5 million years as it runs numbers on that data and find that Ultimate Answer -- 42... But I digress...

This personally irritates me! I posted a First Run connections log for Basilisk several posts up. I counted eleven First Run connections in Basilisk yet they have gone completely unnoticed for "decades" yet one solitary gstatic connection in 360Chrome has the World in a Frenzy? Explain that, please! I'm showing Basilisk to make repeated connections with Cloudfare - why no frenzy? I'm showng Basilisk to make several connections with googleusercontent - why no frenzy? I'm showing Basilisk to make several connections with deploy.static.akamaitechnologies - why no frenzy? I'm showing Basilisk to make several connections with MCI Communications Services in Ashburn, VA - why no frenzy? I'm showing Basilisk to make several connections with Microsoft Corporation at One Microsoft Way in Richmond, WA - why no frenzy? What am I missing here? A blind trust for anything Firefox? Again, I wholly and fully support taking measures to make our own browsing experience free of telemetry! I've got nothing to "hide" and there is a balance between returning to driving a horse-drawn buggy and just allowing telemetry to go unchecked. But I have to admit, I really don't think that it is too much to ask for the folks that have such a great concern for 360Chrome making one solitary gstatic connection to have an equal concern for what their Firefox browsers have been logging for DECADES but has gone "unchecked" or "blindly trusted".

I have wondered the same regarding your posts, so "who knows". Oh well, to each there own. But, and I am paraphrasing, I don't recall ever saying "are you an id1ot, why would anyone enable that feature, do you even know what it is" and you directed that paraphrase to me twice (at least it seemed), so yeah, you rub me the wrong way at times! But moving on... I did place you on "ignore" for a while, but I'll go ahead and give you another try as you were "positive" with a few 360Chrome suggestions a few posts ago, so "onward and upward". I was searching an hour or so ago trying to gauge Netherlands privacy concerns relative to the privacy concerns (ie, the very reason we remove telemetry and monitor "connections" in 360Chrome) of us on this side of the pond. The US definitely lags behind based on several global news sources, it looks like your country protects you more than you give them credit for, who knows. The EU has privacy czars and the GDPR and CCPA and I even saw Netherlands is in the midsts of a lawsuit against Facebook that the courts handed Facebook a loss as far as their attempts to drop the case. So you disabled a phone's GPS with a soldering iron but you don't see yourself as paranoic on any level, just merely precautionary? Again, oh well, to each there own. Constant usage of the word "gugle" strikes me as a bit odd, but you are from a country trying to knock Facebook down a few pegs - I wholly and fully support any endeavor of that nature. I can remember our government breaking up "Ma Bell" into five (?) "Baby Bells" when I was growing up - but we (the US) has enabled Google, Facebook, Apple, and Amazon to grow to gigantuous sizes. I also remember the day when everybody would call Microsoft "M$" like your use of "gugle". Nothing really happened with Microsoft aside from "browser choice" or whatever they called it and Windows operating systems no longer putting a big blue "E" with a halo on the desktop. I wholly and fully support any knockdown of Google, Facebook, et cetera. But I still think we can call them "Google". But to each there own (which, I admit, is often times easier said than done).

I'm all for countermeasures for our own peace of mind regarding our own levels of paranoia. But there is also a point where it reaches the level of a psychiatric disorder. I don't own a phone but that's because I use VoIP over my internet connection. But let's use a phone as an example - going the extents to that of being afraid that Google is reading your MSFN posts? I have to ask, do you own a phone with GPS capabilities? You see where I'm going? I don't really have a desire to sit in a buggy and stare at a horses butt while traveling from A to B and don't really want to milk a cow and churn my own butter while the wife rakes laundry over one of those curragated thingamajiggies down at the creek and the daughter spins cotton into thread for next year's overalls. I hope you post from a coffee shop or public library if your level of paranoia is as extreme as you make it sound. But jokes and sarcasm aside, yes, I get it, countermeasures gallore... To an extent...