#64 Consider the future of the XHR wrapper
Opened 2 years ago by polcak. Modified 2 years ago

The XHR wrapper was created in one of the earliest proof-of-concept versions. The trouble with the wrapper is that we limit some uploads but not all like Fetch, SSE, WebRTC, and WebSockets APIs and others.

We introduced NBS that aims on preventing web pages from misusing the browser as a proxy. We introduced FPD that aim on blocking fingerprint attempts (with some caveats). Both work on higher level so they do not differentiate between requests created by different mechanisms (like https://github.com/cure53/HTTPLeaks).

On the other hand some users consider XHR wrappers useful. The primary advantage of this wrapper is that a user can control each specific request. If we find XHR wrappers useful, we should wrap other mechanisms (like fetch). But we want be able to prevent all leaks https://github.com/cure53/HTTPLeaks. So maybe we should just remove XHR wrappers so that they do not create a false sense of security.

For now, we keep XHR wrappers as originally implemented with a warning message in the group description described in the UI. Users that find the wrapper useful can continue using that, others do not have the wrapper activated.

Login to comment on this ticket.