NoScript Contextual Policies & LAN protection
Application Boundaries Enforcer (ABE) for new generation of browsers
NoScript is a FOSS browser extension for Firefox, Chromium and its derivatives. It can be used on desktop and mobile browsers, and enhances security by providing control over JavaScript and other active content. It is the first and still most effective XSS filter. NoScript is an integral part of the Tor Browser, as the back-end of its "Security Level" settings.
ABE-Quantum is the next generation of the Application Boundary Enforcer (ABE), a NoScript module that provided protection against several cross-site and cross-network attacks. When Mozilla abandoned the legacy Firefox add-ons platform in 2017, ABE did not survive the painful transition to the new cross-browser (but backward incompatible) WebExtensions API. The ABE-Quantum project aims to bring the main ABE features to WebExtension-capable browsers, and specifically: 1) contextual content blocking policies depending both on the origin and the destination of the request, e.g. "Block facebook.net scripts everywhere unless the parent site is facebook.com"; 2) protecting LAN endpoints (i.e. routers or other internal applications) against browser-based attacks from the WAN using the web layer to work-around traditional firewalls. These features will be integrated in NoScript's user interface - rather than leveraging a firewall-inspired policy definition language like in the original ABE - in order to provide a simpler, more accessible and more intuitive user experience.
- The project's own website: https://noscript.net
Why does this actually matter to end users?
As you fire up your computer, laptop or smartphone and click your browser icon to connect to your favorite site, do you know what happens behind the scenes? Modern websites offer their users a ton of functionalities, but it is becoming increasingly difficult to know just how all these slick graphics, popups and interactive elements actually work, and what they do precisely. This is very true for most users, but even those more technically inclined may not be entirely sure what happens on their browsers exactly. Not because they lack the knowledge or tools, but because a lot of these little bits of software that come with visiting particular websites are not transparent.
Simply put, you open a site, your browser is sent some programs that immediately run on your computer and you do not and cannot know what is going on. This poses many problems, not just for user agency and freedom, but also for privacy and security when we have some unrecognizable piece of software from some unknown source run on our system, that might hold sensitive personal data or run vital services. Your browser may know how to protect you from harm, but would it not be better to go straight to the source and make sure we can actually trust what we run?
To make sure we can browse the web more privately and securely we need control over what our browser is actually doing and what programs it allows to run for which purpose. NoScript is a popular open source browser extension that does precisely this: it gives the user control over what content and programs can and cannot do, while protecting against widely exploited website vulnerabilities. These capabilities are why the privacy-friendly Tor Browser comes with NoScript turned on.
Extensions like NoScript give users back some control over their online experience, protecting them against harmful exploits. This project aims to further strengthen this protection and mitigate other prevalent browser-based attacks while making NoScript easier and more intuitive to use, so that this privacy-friendly technology is not only future-proof, it can also give everyone the safe online experience they deserve.
This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310.