JShelter
Cross-browser extension to make javascript less exploitable
The Internet is vital to the everyday lives of billions of people. That's why it's especially problematic that, in the course of using the Web, even from an otherwise fully free machine, browsers run nonfree programs that are outside the control, and even awareness, of many users. These programs run behind the scenes -- but on the user's system -- whenever the Web server says to run them. They are typically served to the user as minified JavaScript, and few provide the corresponding human readable source code, or a free license allowing users to lawfully inspect and modify the program. By definition, these programs infringe user freedom. In practice, this also means they pose serious threats to users' privacy and security -- such as by surreptitiously using a user's CPU to mine cryptocurrency, or by capturing and manipulating keystrokes. The Free Software Foundation is working to make all JavaScript on the Web be free software; its JavaScript Shield project is a freely licensed anti-malware browser add-on to limit potential threats from JavaScript, such as fingerprinting, tracking and data collection. It would ask -- globally or per site -- if specific native functions provided by the JavaScript engine and the DOM are allowed by the user. It would also link to an explanatory page for each function, to raise awareness of related threats. Depending on the function being addressed, the user would have the option to allow it, block it, or have it return a spoofed value. This extension will help protect users from critical threats now, and contribute significantly to progress on the necessary longer-term cultural shift of moving away from nonfree JavaScript.
- The project's own website: https://jshelter.org
Why does this actually matter to end users?
As you fire up your computer, laptop or smartphone and click your browser icon to connect to your favorite site, do you know what happens behind the scenes? Modern websites offer their users a ton of functionalities, but it is becoming increasingly difficult to know just how all these slick graphics, popups and interactive elements actually work, and what they do precisely. This is very true for most users, but even those more technically inclined may not be entirely sure what happens on their browsers exactly. Not because they lack the knowledge or tools, but because a lot of these little bits of software that come with visiting particular websites are not transparent.
Simply put, you open a site, your browser is sent some programs that immediately run on your computer and you do not and cannot know what is going on. This poses many problems, not just for user agency and freedom, but also for privacy and security when we have some unrecognizable piece of software from some unknown source run on our system, that might hold sensitive personal data or run vital services. Your browser may know how to protect you from harm, but would it not be better to go straight to the source and make sure we can actually trust what we run?
One of the ways to make sure we can browse the web more privately and securely is to actually understand the programs that websites request our browsers to run. This project is one part of the core mission of the Free Software Foundation's to make all software free. Free as in freedom, not free beer: users should be able to study how software works, modify it and share it. If not, software not only limits your freedom, it can also be insecure and harm your privacy. There simply is no way of knowing.
This is why the FSF intends to make a browser add-on that protects you from threats on the web and make it into a control room for users: with the push of a button, you can allow, block or spoof requests coming from some program that a web server sent you. Instead of a simple blocker tool that can make browsing a pain, users have granular control over what a website can and cannot do, and in the meanwhile learn the benefits of software that is transparent (and the many downsides of programs that are not).
Run by Free Software Foundation
This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310.
