From 6b847c169d20a30ab4caa512d3683ae563a83255 Mon Sep 17 00:00:00 2001
From: ilyaigpetrov <ilyaigpetrov@gmail.com>
Date: Sat, 30 Oct 2021 16:57:21 +0000
Subject: [PATCH] FOR-REVIEWERS.md created online with Bitbucket

---
 FOR-REVIEWERS.md | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 FOR-REVIEWERS.md

diff --git a/FOR-REVIEWERS.md b/FOR-REVIEWERS.md
new file mode 100644
index 0000000..c945a19
--- /dev/null
+++ b/FOR-REVIEWERS.md
@@ -0,0 +1,11 @@
+# For Reviewers
+
+## Justifications of serving hard to read PAC-scripts
+
+0. It's not obfuscated but compressed to fit into the 1MB limit on PAC-script size in most browsers.
+1. In this repository you may find the open source codes of our pac-script generator -- we may translate it to English upon your request.
+2. I understand it's difficult to evaluate if PAC-script is malicious or not. However, take into account the worst case damage it can inflict:
+    - It may leak addresses user visits via dnsResolve.
+    - It may return a proxy which collects addresses user visits or even modifies responses (this is explicitly allowed when user agrees to `proxy` permission in our browser extension).
+3. PAC-scripts (remote or not) are executed in a kind of sandbox: they have access only to a restricted API (see https://github.com/anticensority/about-pac-scripts/blob/master/pac-script-api-chrome-55.md for details).
+So they are quite benign.