The Free Software Foundation has unveiled the JShelter project, which develops a browser add-on to protect against threats that arise when using JavaScript on websites, including hidden identification, movement tracking and accumulation of user data. The project code is distributed under the GPLv3 license. The add-on is prepared for Firefox, Google Chrome, Opera, Brave, Microsoft Edge and other browsers based on the Chromium engine.
The project is being developed as a collaborative initiative funded by the NLnet Foundation. Giorgio Maone, the creator of the NoScript add-on, as well as the founders of the J++ project and authors of the JS-Shield and JavaScript Restrictor add-ons, joined the development of JShelter. The JavaScript Restrictor add-on is used as the basis of the new project.
JShelter can be thought of as a kind of firewall for the JavaScript APIs available to websites and web applications. The add-on provides four levels of protection, as well as a flexible API access configuration mode. The zero level completely allows access to all APIs, the first one includes minimal blocking that does not disrupt the operation of pages, the second level balances between blocking and compatibility, and the fourth level includes strict blocking of everything superfluous.
API blocking settings can be tied to individual sites, for example, you can increase protection for some site, and disable it for some. You can also selectively block certain JavaScript methods, objects, properties, and functions, or spoof return values ββ(for example, give false information about the system). The NBS (Network boundary shield) mode stands out separately, which does not allow pages to use the browser as a proxy between the external and local networks (all outgoing requests are intercepted and analyzed).
Blocked or restricted APIs:
- window.Date, window.performance.now(), window.PerformanceEntry, Event.prototype.timeStamp, Gamepad.prototype.timestamp, and VRFrameData.prototype.timestamp - The exact time given can be used to identify and carry out side-channel attacks.
- HTMLCanvasElement (canvas.toDataURL(), canvas.toBlob(), CanvasRenderingContext2D.getImageData, OffscreenCanvas.convertToBlob()) - used to determine the features of the graphics subsystem when identifying a user.
- AudioBuffer and AnalyzerNode (AudioBuffer.getChannelData(), AudioBuffer.copyFromChannel(), AnalyserNode.getByteTimeDomainData(), AnalyserNode.getFloatTimeDomainData(), AnalyserNode.getByteFrequencyData() and AnalyserNode.getFloatFrequencyData()) - identification through the analysis of audio signals.
- WebGLRenderingContext - identification through analysis of the features of the graphics stack and GPU.
- MediaDevices.prototype.enumerateDevices - identification through getting the parameters and names of the camera and microphone.
- navigator.deviceMemory, navigator.hardwareConcurrency - get hardware information.
- XMLHttpRequest (XHR) - Passes the collected system information to an external server after the page is loaded.
- ArrayBuffer - conducting microarchitectural attacks like Specter.
- WebWorker (window.Worker), SharedArrayBuffer (window.SharedArrayBuffer) - carrying out attacks that evaluate delays in accessing data.
- Geolocation API (navigator.geolocation) - access to location information (the add-on allows you to distort the returned data).
- Gamepad API (navigator.getGamepads()) is one of the identification features that takes into account the presence of a gamepad in the system.
- Virtual Reality API, Mixed Reality API - using the parameters of virtual reality devices for identification.
- window.name - cross-site leaks.
- navigator.sendBeacon - used for web analytics.
Source: opennet.ru