[GH-ISSUE #1791] Domains in Hide List are still displayed if they are also ran through the Scripting Tool #1784

New issue

Open

opened 2026-03-03 19:54:23 +03:00 by kerem · 2 comments

kerem commented

2026-03-03 19:54:23 +03:00

Owner

Originally created by @sleeve on GitHub (Oct 1, 2023).
Original GitHub issue: https://github.com/ProxymanApp/Proxyman/issues/1791

Description

I've been doing some insecure HTTP audits recently and noticed that if domains that I've configured in the Block/Hide List to be hidden are also ran through a Script I have enabled, they are still being displayed in the Proxy log and aren't hidden. It feels like if a domain is in the Hide List it should always be hidden even if it also gets filtered by a Script that's enabled.

Maybe the Hide List functionality needs to be moved to the last step of the Proxy Log display code? Allow Scripts to be run but then check the Hide List after that to determine if the the call should display in the Proxy Log?

Maybe I'm missing something and there's a workaround I can use in my script to keep the calls hidden? Thanks!

Steps to Reproduce

Create a Hide List rule for a domain or a group of domains (Using an OCSP HTTP regex hide list for this example but any domain list should work.)

^https?:\/\/((ocsp2\.apple\.com)|(ocsp\.digicert\.com)|(ocsp\.r2m0.\.amazontrust\.com)|(ocsp\.pki\.goog)|(globessl\.ocsp\.sectigo\.com)|(ocsp\.usertrust\.com)|(ocsp2\.globalsign\.com)|(r3\.o\.lencr\.org)|(ocsp\.rootca1\.amazontrust\.com)|(ocsp\.sectigo\.com)|(static\.ess\.apple\.com)).*

Note that all calls caught in this rule are then hidden correctly and not displayed in the Proxy Log
Create a simple script that will interact with those calls in the hide list and enable it. (Using a simple HTTP calls colored red script)

^http:\/\/.*

async function onRequest(context, url, request) {
  request.color = "red";

  return request;
}

Trigger the calls that will be ran through the script and are also on the hide list.
Note that the calls that are caught and ran through the script are no longer hidden from the proxy log and are colored red even though they are on the Hide List.

Expected Behavior

Hide calls from the proxy log that are a part of a Hide List rule even if they are caught in a script.

Environment

Proxyman Pro 4.12.0 (49300)
macOS Sonoma 14.0

Originally created by @sleeve on GitHub (Oct 1, 2023). Original GitHub issue: https://github.com/ProxymanApp/Proxyman/issues/1791 ## Description I've been doing some insecure HTTP audits recently and noticed that if domains that I've configured in the Block/Hide List to be hidden are also ran through a Script I have enabled, they are still being displayed in the Proxy log and aren't hidden. It feels like if a domain is in the Hide List it should always be hidden even if it also gets filtered by a Script that's enabled. Maybe the Hide List functionality needs to be moved to the last step of the Proxy Log display code? Allow Scripts to be run but then check the Hide List after that to determine if the the call should display in the Proxy Log? Maybe I'm missing something and there's a workaround I can use in my script to keep the calls hidden? Thanks! ## Steps to Reproduce 1. Create a Hide List rule for a domain or a group of domains (Using an OCSP HTTP regex hide list for this example but any domain list should work.) ``` ^https?:\/\/((ocsp2\.apple\.com)|(ocsp\.digicert\.com)|(ocsp\.r2m0.\.amazontrust\.com)|(ocsp\.pki\.goog)|(globessl\.ocsp\.sectigo\.com)|(ocsp\.usertrust\.com)|(ocsp2\.globalsign\.com)|(r3\.o\.lencr\.org)|(ocsp\.rootca1\.amazontrust\.com)|(ocsp\.sectigo\.com)|(static\.ess\.apple\.com)).* ``` <img width="710" alt="Screenshot 2023-10-01 at 11 01 06 AM" src="https://github.com/ProxymanApp/Proxyman/assets/499487/ff15b596-3773-42be-b862-312ebee81b2e"> 2. Note that all calls caught in this rule are then hidden correctly and not displayed in the Proxy Log 3. Create a simple script that will interact with those calls in the hide list and enable it. (Using a simple HTTP calls colored red script) ``` ^http:\/\/.* ``` ``` async function onRequest(context, url, request) { request.color = "red"; return request; } ``` <img width="1082" alt="Screenshot 2023-10-01 at 11 00 12 AM" src="https://github.com/ProxymanApp/Proxyman/assets/499487/c87c828c-b6b4-40ef-b86a-075d737bf96b"> 4. Trigger the calls that will be ran through the script and are also on the hide list. 5. Note that the calls that are caught and ran through the script are no longer hidden from the proxy log and are colored red even though they are on the Hide List. <img width="850" alt="Screenshot 2023-10-01 at 11 01 54 AM" src="https://github.com/ProxymanApp/Proxyman/assets/499487/08c98daa-df3c-4848-8d14-36e939abed8a"> ## Expected Behavior Hide calls from the proxy log that are a part of a Hide List rule even if they are caught in a script. ## Environment Proxyman Pro 4.12.0 (49300) macOS Sonoma 14.0

kerem added the

bug

label

2026-03-03 19:54:23 +03:00

kerem commented

2026-03-03 19:54:24 +03:00

Author

Owner

@NghiaTranUIT commented on GitHub (Oct 2, 2023):

Thanks @sleeve, it's a bug.

You can work around this by adding all domains in the Block List to the Bypass Proxy List in the Tool menu -> Proxy Setting.
These requests never go to the Proxy -> Don't show on the Proxyman app and don't go through the Scripting tool too.

@NghiaTranUIT commented on GitHub (Oct 2, 2023): Thanks @sleeve, it's a bug. You can work around this by adding all domains in the Block List to the Bypass Proxy List in the Tool menu -> Proxy Setting. These requests never go to the Proxy -> Don't show on the Proxyman app and don't go through the Scripting tool too.

kerem commented

2026-03-03 19:54:24 +03:00

Author

Owner

@sleeve commented on GitHub (Oct 7, 2023):

Thanks for confirming that it's a bug. That workaround is fine if you're just proxying local macOS traffic but it doesn't work for remote/mobile devices, which is what I use most in Proxyman.

That's why the "Hide List" is such a powerful tool since it can hide both local macOS traffic AND remote device traffic. I'd like to just maintain a single list of domains in the hide list tool instead of keeping track of both a bypass AND hide list.

@sleeve commented on GitHub (Oct 7, 2023): Thanks for confirming that it's a bug. That workaround is fine if you're just proxying local macOS traffic but it doesn't work for remote/mobile devices, which is what I use most in Proxyman. That's why the "Hide List" is such a powerful tool since it can hide both local macOS traffic AND remote device traffic. I'd like to just maintain a single list of domains in the hide list tool instead of keeping track of both a bypass AND hide list.