Disclaimer: This is a research project under development, see the issue page and the webextension home page for more details about the current status.
A JS-enabled web page can access any of the APIs that a web browser provides. The user has only a limited control and some APIs cannot be restricted by the user easily. jShelter aims to improve the user control of the web browser. Similarly to a firewall that controls the network traffic, jShelter controls the APIs provided by the browser. The goal is to improve the privacy and security of the user running the extension.
jShelter is a browser extension with support for multiple browsers: Firefox, Google Chrome, and Opera. The extension also works with Brave, Microsoft Edge, and most likely any Chromium-based browser. Let us know if you want to add the extension to additional store.
jShelter currently supports modifying and restricting the following APIs (for more details visit levels of protection page):
- window.Date object, window.performance.now() and window.PerformanceEntry provide high-resolution timestamps that can be used to idenfity the user or can be used for microarchitectural attacks and timing attacks.
- HTMLCanvasElement: Functions canvas.toDataURL(), canvas.toBlob(), CanvasRenderingContext2D.getImageData, OffscreenCanvas.convertToBlob() return either - modified image data based on session and domain keys, making canvas fingerprint unique, or white image. Canvas element provides access to HW acceleration which may reveal the card and consequently be used as a fingerprinting source.
- AudioBuffer and AnalyserNode: These API can be used to create fingerprint by analysing audio signal. jShelter modifies AudioBuffer.getChannelData(), AudioBuffer.copyFromChannel(), AnalyserNode.getByteTimeDomainData(), AnalyserNode.getFloatTimeDomainData(), AnalyserNode.getByteFrequencyData() and AnalyserNode.getFloatFrequencyData() to alter audio data based on domain key, or return white noise based on domain key, making audio fingerprint unique.
- WebGLRenderingContext: WebGL parameters and functions can expose hardware and software uniqueness. jShelter modifies function WebGLRenderingContext.getParameter() to return bottom values (null, 0, empty string, etc) or alter return values for certain arguments. WebGLRenderingContext.getActiveAttrib, WebGLRenderingContext.getActiveUniform,
WebGLRenderingContext.getAttribLocation, WebGLRenderingContext.getBufferParameter, WebGLRenderingContext.getFramebufferAttachmentParameter,
WebGLRenderingContext.getProgramParameter, WebGLRenderingContext.getRenderbufferParameter, WebGLRenderingContext.getShaderParameter,
WebGLRenderingContext.getShaderPrecisionFormat, WebGLRenderingContext.getTexParameter, WebGLRenderingContext.getUniformLocation,
WebGLRenderingContext.getVertexAttribOffset, WebGLRenderingContext.getSupportedExtensions, WebGLRenderingContext.getExtension are modified to return bottom values. WebGLRenderingContext.readPixels() is modified to return either empty image or modified image data based on session and domain keys.
- MediaDevices.prototype.enumerateDevices provides a unique strings identifying cameras and
microphones. This strings can be used to fingerprint the user (user session).
- navigator.deviceMemory or navigator.hardwareConcurrency can reveal hardware specification of the device.
- XMLHttpRequest (XHR) performs requests to the server after the page is displayed and gathered information available through other APIs. Such information might carry identification data or results of other attacks.
- ArrayBuffer can be exploited for microarchitectural attacks.
- Encapsulates window.DataView, window.Uint8Array, window.Int8Array, window.Uint8ClampedArray, window.Int16Array, window.Uint16Array, window.Int32Array, window.Uint32Array, window.Float32Array, window.Float64Array
- SharedArrayBuffer (window.SharedArrayBuffer) can be exploited for timing attacks.
- WebWorker (window.Worker) can be exploited for timing attacks.
- Geolocation API (navigator.geolocation): Although
the browser should request permission to access to the Geolocation API, the user can be unwilling
to share the exact position. jShelter allows the user to limit the precision of the API or disable the
API. jShelter also modifies the timestamps provided by Geolocation API in consistency with its time
- window.name provides a very simple cross-origin tracking method of the same tab, see https://github.com/polcak/jShelterestrictor/issues/72, https://developer.mozilla.org/en-US/docs/Web/API/Window/name, https://2019.www.torproject.org/projects/torbrowser/design/, https://bugzilla.mozilla.org/show_bug.cgi?id=444222, and https://html.spec.whatwg.org/#history-traversal. jShelter provides an option to remove any
window.name content on each page load.
- navigator.sendBeacon is an API desinged for analytics. jShelter provides an option to disable the API. The call returns success but nothing is sent to any web server.
Note that the spoofing and rounding actions performed by the extension can break the functionality of a website (e.g. Netflix). Please report to us any malfunction websites that do not track users.
Levels of Protection
jShelter provides four in-built levels of protection:
- 0 - the functionality of the extension is turned off. All web pages are displayed as intended without any interaction from jShelter.
- 1 - the minimal level of protection. Only changes that should not break most pages are enabled.
Note that timestamps are rounded so pages relying on precise time may be broken.
- 2 - intended to be used as a default level of protection, this level should not break any site
while maintaining strong protection.
- 3 - maximal level of protection: enable all functionality.
For more accurate description of the restrictions see levels of protection page.
The default level of protection can be set by a popup (clicking on jShelter icon) or through options of the extension. Specific level of protection for specific domains can be set in options by adding them to the list of websites with specific level of protection. This can be done also by a popup during a visit of the website.
If you have any questions or you have spotted a bug, please let us know.
If you would like to give us feedback, we would really appreciate it.
Once you install the extension, see the test page for the working demo on how the
extension can help in restricting JS capabilities.
This project is available as open source under the terms of the GPL 3.0 or later. However, some elements are being licensed under MIT license and MPL 2.0 license. For accurate information, please check individual files. As well as for accurate information regarding copyrights.