school/web-api-manager
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
No description
24 commits 1 branch 14 tags 697 KiB
JavaScript 89.4%
HTML 10.2%
CSS 0.4%
Find a file
Peter Snyder b9cf1b9a8e update documentation in the pack library, to clarify that the values to/from the packing functions are not the same array, just arrays that contain the same values
2017-10-17 15:21:42 -05:00
background_scripts add ability to log what specific methods were blocked 2017-10-14 23:23:40 -05:00
config minify injected proxy blocking code, add some description of what the logging option does, have the javascript injected into each visited page remove its own <script> tag 2017-10-15 08:02:08 -05:00
content_scripts delete global WEB_API_MANAGER_PAGE property from page DOM once we're done with it, which should be the last remnant of the extension in the page script. 2017-10-17 15:00:52 -05:00
data/standards add ability to use aggressive and conservative default blocking sets 2017-10-13 23:23:49 -05:00
images initial work on popup, which lets the user know which related frames are loading script on the current page 2017-10-14 00:41:49 -05:00
lib update documentation in the pack library, to clarify that the values to/from the packing functions are not the same array, just arrays that contain the same values 2017-10-17 15:21:42 -05:00
popup reworking rule matching code to use host patterns, instead of regular expressions 2017-10-14 17:26:02 -05:00
.gitignore lots of JSlint based cleanup 2017-10-14 15:24:18 -05:00
gulpfile.js minify injected proxy blocking code, add some description of what the logging option does, have the javascript injected into each visited page remove its own <script> tag 2017-10-15 08:02:08 -05:00
LICENSE.txt add that text 2017-10-14 14:28:23 -05:00
manifest.json version bump 2017-10-17 15:01:24 -05:00
package-lock.json fill out the package.json file 2017-10-15 08:17:18 -05:00
package.json version bump 2017-10-17 15:01:24 -05:00
README.md add note to README.md that the extension doesn't make any changes by default. 2017-10-17 13:29:01 -05:00

README.md

Web API Manager

Note

By default, this extension does not make any changes. No aspects of the Web API are affected until you start creating custom rule sets, or modifying what Web API standards sites have access to by default. You can start creating these rules through the site's configuration pane.

Overview

This extension allows users to selectively allow different hosts on the web to have access to different types of browser functionality. Doing so allows security and privacy sensitive web users to limit the attack surface presented to websites, and to limit websites to the functionality they actually need to carry out user-serving purposes.

Background

Web browsers gain staggering numbers of new features, without their users knowing what new functionality is being pushed into their trusted base. While some of this functionality is broadly useful for things commonly thought of as "web" related, a large amount of it is useful in only rare situations, if ever. Examples of this rarely-needed functionality includes the low level audio synthesis capabilities of the Web Audio API, the low level graphics capabilities of WebGL, or the light sensing capabilities of the Ambient Light Sensor API. Such complex-but-rarely-used functionality has been often used in attacks on the security and privacy of the web.

Other functionality is frequently used by web sites, but for non-user-serving purposes, like fingerprinting anonymous users and tracking them across websites. Examples of such functionality includes parts of the SVG API, parts of the the Canvas Element's functionality, and the Beacon standard, among many others.

This extension helps users stay private and secure online by limiting websites to only the functionality they need, and prevent them from accessing rarely needed and/or privacy violating functionality.

Functionality

The extension currently includes the following functionality:

  • Creation of domain-specific functionality rules, based on host-matching regular expressions.
  • Blocking of functionality across all domains, with a fallback, "default" blocking rule.
  • A novel method of blocking functionality, designed to minimize the effect of removing functionality on existing code that expects that functionality to be in place.
  • A categorization of approximately 1,400 JavaScript methods into 74 different Web API standards (and, where appropriate, sub-standards).
  • User feedback to alert users how many hosts are executing script every time they visit a site, to ease the creating of new rules.

The following functionality is not currently implemented, but is being considered for future inclusion:

  • The ability to subscribe to blocking rule sets created by trusted third parties, similar to the EasyList / AdBlockPlus model of rule subscriptions.
  • Blocking property accesses on non-global structures through an additional level of interposition on runtime created objects.
  • Adding new Web API standards into the code base.
  • Extend blocking to properties and events (currently only functions and methods are interposed on).

Background

This extension is based on research conducted at the BITSLab at the University of Illinois at Chicago. Further information on the measurements and techniques used in this extension can be found in the following papers.