Free Software Foundation Introduces JShelter Browser Add-on to Restrict JavaScript API

Its FOSS ^ | 2 October 2021 | Staff

[ShadowAce]

The Free Software Foundation has unveiled the project JShelter , which develops a browser add-on to protect against threats posed by JavaScript on websites, including hidden identification , movement tracking, and user data collection. The project code is distributed under the GPLv3 license. The add-on is prepared for Firefox , Google Chrome , Opera , Brave, Microsoft Edge and other browsers based on the Chromium engine.

The project is being developed as a joint initiative funded by the foundation NLnet Foundation. JShelter has also been joined by Giorgio Maone, the creator of the add-on NoScript , as well as the founders of the project J ++ and the authors of the add ons JS-Shield – and JavaScript Restrictor . The add-on is used as a basis for the new project JavaScript Restrictor .

JShelter can be thought of as a firewall for JavaScript APIs available to sites and web applications. The add-on provides four levels of protection, as well as a flexible API access configuration mode. Level zero completely allows access to all APIs, the first one includes minimal locks that do not disrupt the work of pages, the second level balances between locks and compatibility, and the fourth level includes strict blocking of everything unnecessary.

API blocking settings can be tied to individual sites, for example, for a certain site, you can strengthen the protection, and for another, disable it. You can also selectively block certain JavaScript methods, objects, properties, and functions, or spoof return values ​​(for example, give false information about the system). Separately, the NBS (Network boundary shield) mode is highlighted, which does not allow pages to use the browser as a proxy between the external and local networks (all outgoing requests are intercepted and analyzed).

Blocked or restricted APIs:

• window.Date, window.performance.now (), window.PerformanceEntry, Event.prototype.timeStamp, Gamepad.prototype.timestamp and VRFrameData.prototype.timestamp – the exact time displayed can be used to identify and carry out attacks side-channel .
• HTMLCanvasElement (canvas.toDataURL (), canvas.toBlob (), CanvasRenderingContext2D.getImageData, OffscreenCanvas.convertToBlob ()) – used to determine the features of the graphics subsystem when identifying a user.
• AudioBuffer и AnalyserNode (AudioBuffer.getChannelData(), AudioBuffer.copyFromChannel(), AnalyserNode.getByteTimeDomainData(), AnalyserNode.getFloatTimeDomainData(), AnalyserNode.getByteFrequencyData() и AnalyserNode.getFloatFrequencyData()) – идентификация через анализ звуковых сигналов.
• WebGLRenderingContext – identification through analysis of the features of the graphics stack and GPU.
• MediaDevices.prototype.enumerateDevices – identification by receiving parameters and names of the camera and microphone.
• navigator.deviceMemory, navigator.hardwareConcurrency – getting hardware information.
• XMLHttpRequest (XHR) – Transfers the collected system information to an external server after the page has loaded.
• ArrayBuffer – carrying out microarchitectural attacks like Specter.
• WebWorker (window.Worker), SharedArrayBuffer (window.SharedArrayBuffer) – attacks that estimate data access delays.
• Geolocation API (navigator.geolocation) – access to location information (the add-on allows you to distort the returned data).
• Gamepad API (navigator.getGamepads ()) – one of the identification signs, taking into account the presence of a gamepad in the system.
• Virtual Reality API, Mixed Reality API – using parameters of virtual reality devices for identification.
• window.name – – cross site leaks .
• navigator.sendBeacon – Used for web analytics.

[ShadowAce]

[rarestia]

FWIW, you can install the extension in MS Edge from the Chrome store, but it’s buggy including some visual issues. Glad to see they’re expanding this. I miss NoScript.

[ShadowAce]

Yeah--I'm not sure how much time I would spend online if I did not have Noscript.

I cannot stand ads.

[Openurmind]

Not just ads, real time 3rd party tracking API scripts too. I couldn’t live without NoScript either. The last year I have noticed sites are getting wise to JS blocking and have them shut down if it detects any JS blocking at all. Will this get around that Ace?

[Openurmind]

Why can’t you have NoScript?

[ShadowAce]

Not sure. If a site won't perform its function with my NoScript, I don't go to that site.

I've got Twitter, Facebook, and most Google services blocked. As a result, I don't get to some sites--including a couple of "conservative" sites--because they block the whole site when they detect my blocking.

[Openurmind]

I have found that if I do turn on the top Script listed “Domain.com” it meets the requirement needed to load the site. But then it adds several more scripts to the list NoScript is blocking. So even though I allowed the site JS so that things render correctly, NoScript is still catching and blocking the extra hidden stuff they try to shove on me when I toggle on the JS.

Once in awhile I might have to turn on the domain CDN too. The problem with some websites even if honest and innocent is that the website also incorporates JS for functions and graphics such as radio button links and Icons. So I think you can safely toggle on the top domain listing because NoScript is still blocking everything else.

Cool thing is, it will get around paywalls most times with just this top listing toggled on. :)

[ShadowAce]

Cool thing is, it will get around paywalls most times with just this top listing toggled on. :)

Yeah--and I never see ads on youtube.

[Openurmind]

An example of this is our site. Hit it with NoScript. It is written in 99% PHP, so there is very little JS incorporated. You can see that the only thing not rendering correctly are the button icons, and the minimum needed in site “user experience” cookies to remember what you did for “your posts/viewed posts” Etc... For some reason button icons must be a challenge for PHP, but they still function.

But you can safely toggle on the one domain listing. We have absolutely NO hidden 3rd party scripts local from the site. Unfortunately though, when things are embedded such as videos “their” scripts are then added. I would personally like to outlink everything like here but folks like embedded stuff.

https://timelessauthors.com/

[Openurmind]

Same here, I can also get around the major news site paywalls too. They have the content inline at the top of the stack before it reads down to the paywall cover page lines. :)

Shhh... lol

[Openurmind]

Went and read it, looks like it is just like NoScript...

[Openurmind]

https://microsoftedge.microsoft.com/addons/detail/noscript/debdhlbmgmkkfjpcglcbjadbhhekgfjh?hl=it-IT%3Fhl%3Dit-IT%22%3Fhl%3Dit-IT%3Fhl%3Dit-IT%22

[Pollard]

I use YesScript for a javascript blocker. Ghostery & uBlock Origin for privacy/ad blocker and Enhancer for Youtube to tweak youtube to my liking.

[rarestia]

NoScript was developed (almost) exclusively for Firefox and related browsers. They never ported it over to Chrome or Edge. There are some hacks one can use to make it work, but it’s not the same.

[rarestia]

Thank you for that, openurmind. That’s a recent addition. I hadn’t checked recently.

[minnesota_bound]

This might hurt Facebook and Twitter etc from spying on you : )

[Openurmind]

Absolutely my privilege, I hope it is stable for you. They have an addon at the Chrome store also but the comments say it broke when they recently updated it. So it is apparently buggy.