OpenSource

Free Software Foundation Introduces JShelter Browser Add-on to Restrict JavaScript API

Pinterest LinkedIn Tumblr

The Free Software Foundation has unveiled the project JShelter , which develops a browser add-on to protect against threats posed by JavaScript on websites, including hidden identification , movement tracking, and user data collection. The project code is distributed under the GPLv3 license. The add-on is prepared for Firefox , Google Chrome , Opera , Brave, Microsoft Edge and other browsers based on the Chromium engine.

The project is being developed as a joint initiative funded by the foundation NLnet Foundation. JShelter has also been joined by Giorgio Maone, the creator of the add-on NoScript , as well as the founders of the project J ++ and the authors of the add ons JS-Shield – and JavaScript Restrictor . The add-on is used as a basis for the new project JavaScript Restrictor .

JShelter can be thought of as a firewall for JavaScript APIs available to sites and web applications. The add-on provides four levels of protection, as well as a flexible API access configuration mode. Level zero completely allows access to all APIs, the first one includes minimal locks that do not disrupt the work of pages, the second level balances between locks and compatibility, and the fourth level includes strict blocking of everything unnecessary.

Wayland Support Plan for Firefox

API blocking settings can be tied to individual sites, for example, for a certain site, you can strengthen the protection, and for another, disable it. You can also selectively block certain JavaScript methods, objects, properties, and functions, or spoof return values ​​(for example, give false information about the system). Separately, the NBS (Network boundary shield) mode is highlighted, which does not allow pages to use the browser as a proxy between the external and local networks (all outgoing requests are intercepted and analyzed).

Blocked or restricted APIs:

  • window.Date, window.performance.now (), window.PerformanceEntry, Event.prototype.timeStamp, Gamepad.prototype.timestamp and VRFrameData.prototype.timestamp – the exact time displayed can be used to identify and carry out attacks side-channel .
  • HTMLCanvasElement (canvas.toDataURL (), canvas.toBlob (), CanvasRenderingContext2D.getImageData, OffscreenCanvas.convertToBlob ()) – used to determine the features of the graphics subsystem when identifying a user.
  • AudioBuffer и AnalyserNode (AudioBuffer.getChannelData(), AudioBuffer.copyFromChannel(), AnalyserNode.getByteTimeDomainData(), AnalyserNode.getFloatTimeDomainData(), AnalyserNode.getByteFrequencyData() и AnalyserNode.getFloatFrequencyData()) – идентификация через анализ звуковых сигналов.
  • WebGLRenderingContext – identification through analysis of the features of the graphics stack and GPU.
  • MediaDevices.prototype.enumerateDevices – identification by receiving parameters and names of the camera and microphone.
  • navigator.deviceMemory, navigator.hardwareConcurrency – getting hardware information.
  • XMLHttpRequest (XHR) – Transfers the collected system information to an external server after the page has loaded.
  • ArrayBuffer – carrying out microarchitectural attacks like Specter.
  • WebWorker (window.Worker), SharedArrayBuffer (window.SharedArrayBuffer) – attacks that estimate data access delays.
  • Geolocation API (navigator.geolocation) – access to location information (the add-on allows you to distort the returned data).
  • Gamepad API (navigator.getGamepads ()) – one of the identification signs, taking into account the presence of a gamepad in the system.
  • Virtual Reality API, Mixed Reality API – using parameters of virtual reality devices for identification.
  • window.name – – cross site leaks .
  • navigator.sendBeacon – Used for web analytics.

Write A Comment

Exit mobile version