JavaScript Restrictor: improve privacy by limiting web browser APIs

Martin Brinkmann
Oct 4, 2021
Firefox add-ons, Google Chrome extensions
|
38

JavaScript Restrictor is an open s0urce cross-browser extension designed to improved user privacy by limiting access to APIs of web browsers that websites may use when running JavaScript. The extension is developed by Libor Pol?ák and several contributors, including Giorgio Maone, who is known for the NoScript extension. Development is supported by the European Commission's Next Generation Internet program.

The main goal of the project is to give back some control to users of web browsers when it comes to web browser APIs that may be abused by sites for user tracking and other invasive activities. The extension may block access to APIs that it supports outright, or manipulate the data that is provided to sites.

Various websites collect information about users without their awareness. The collected information is used to track users. Malicious websites can fingerprint user browsers or computers. JavaScript Restrictor protects the user by restricting or modifying several web browser APIs used to create side-channels and identify the user, the browser or the computer. JavaScript Restrictor can block access to JavaScript objects, functions and properties or provide a less precise implementation of their functionality, for example, by modifying or spoofing values returned by the JS calls. The goal is to mislead websites by providing false data or no data at all.

The extension modifies and restricts access to web browser APIs. The list of supported APIs is available on the project's GitHub webpage. It includes HTMLCanvasElement, XMLHTTPRequest, ArrayBuffer, Geolocation API, WebWorker, window.name, navigator.sendBeacon, WebGLRenderingContext and others.

JavaScript Restrictor

JavaScript Restrictor is available for Mozilla Firefox, Google Chrome and Opera, and it works in other Chromium-based browsers such as Brave, Vivaldi or Microsoft Edge as well.

Protection is divided into different levels, with level 2 being the default option for all visited websites. Options to set different levels for sites are provided.

  • Level 0 -- no protection
  • Level 1 -- minimal protection. Only non-functionality breaking changes are applied
  • Level 2 -- recommended protection. More protections are applied. Some sites may break.
  • Level 3 -- high level of protection. Full protections are applied.

The full list of protections of the levels is found on the project's GitHub page. Network Boundary Shield is enabled by default. It prevents web pages from using the browser "as a proxy between local network and the public Internet".

The protection encapsulates the WebRequest API, so it captures all outgoing requests including all elements created by JavaScript.

The JavaScript Restrictor extension adds an icon the browser's main toolbar after installation. It displays the current level of protection on the site, and acts as a menu to change the level for that site on activation.

Just switch the level to another value to set a different protection level for the active site.  The Network boundary shield may be disabled for the site as well using the action menu.

Closing words

JavaScript Restrictor works in most modern web browsers. It improves user privacy by limiting access to certain browser APIs, which may be abused by sites for tracking and other forms of attacks. Check out the project's website to find out more about it.

Summary
Author Rating
3 based on 31 votes
Software Name
JavaScript Restrictor
Software Category
Browser
Landing Page
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Anonymous said on December 12, 2021 at 7:04 pm
    Reply

    max3 hit the nail on the head… the only one thinking outside the box. Often the answer is simple. 100% unique with randomization. Mic drop, thread closed, keyboard warriors neutralized.

  2. max3 said on November 23, 2021 at 8:03 pm
    Reply

    I don’t get what is wrong with being unique. It is impossible for my browser to look exactly the same as all the other browsers on the web. My operating system’s enabled font set alone gives me away every time. I would prefer to be 100% unique, BUT a different unique every time I start my browser. What browsers need to do is stop letting javascript analyse every last aspect of the user’s computer, monitor and operating system. Spoof those numbers differently every time I restart my browser and keep them the same until I exit the browser.

  3. pd said on October 7, 2021 at 3:58 am
    Reply

    There’s a confusing amount of project names and outcome names here.

    jshelter
    JS Shield
    Javascript Restrictor

    For example, this:

    https://i.imgur.com/FmeIwfq.png

    … leads to:

    https://i.imgur.com/AqkLf6z.png

    Which is a dubious landing point because it dictactes the “cs” language whereas this link:

    https://addons.mozilla.org/firefox/addon/javascript-restrictor/

    …defaults to the user’s chosen language. For example, redirecting to:

    https://addons.mozilla.org/en-US/firefox/addon/javascript-restrictor/

    Brilliant project concept. That the internet is finally getting some regulated, election (at least, in theory!) accountable funding is extremely well overdue, but still underdone. The idea, from a decade or so ago, that governments are too slow and inept to keep tabs on, and be sheriff to the interwebnets lawless wild wild west nature is poppycock. Without democratic influence, look at the rampant spy network the web has become! Good on you, EU!

  4. Lets go Brandon said on October 6, 2021 at 1:09 am
    Reply

    G. Manone and his NoScript has a confirmed bad track record. No wonder why such shady guy gets funding from EU.

  5. I hate brave so much said on October 5, 2021 at 10:00 pm
    Reply

    This is so sad. Iron Heart again with its “anonymous” first comment and the nonsense that follows.

    This should have been printed in bold red communist letters –
    > Development is supported by the European Commission’s Next Generation Internet program.

    1. Iron Heart said on October 6, 2021 at 2:50 pm
      Reply

      @I hate brave so much (totally not a troll nick, yeah)

      You too haven’t learn yet that I never post under any other pseudonym than “Iron Heart” here. I have no reason to. Seems like there are people who share my opinion out there, could be one of those other 40 million Brave users, you know.

  6. Jeff M.S. said on October 5, 2021 at 8:36 pm
    Reply

    I thought it was understood that extensions like these are not for blocking fingerprinting or tracking but for improving JS security and prevent websites from abusing JS.

    But the big problem is that keeping track of and observing websites which break is hell.

  7. Jim said on October 5, 2021 at 4:27 pm
    Reply

    More fingerprinting by using JavaScript Restrictor.

  8. Anonymous said on October 5, 2021 at 3:04 pm
    Reply

    Interesting extension, the default protects against fingerprinting by timing, canvas, hardware. It also restricts geolocation accuracy and disables beacons.

    The “network boundary shield”, if it’s what I think it is, preventing access to local network by sites, can be done in ublock origin too, by enabling the “Block access to LAN” filter list, that is included but not enabled by default.

    About the Battery status API that they disable, I think that at least in Firefox it has been no longer exposed to the sites for some time already:

    https://bugzilla.mozilla.org/show_bug.cgi?id=1313580

    but one never really knows with Mozilla.

    The window.name is cleared with each page load by the extension. Firefox 88+ had already if one believes them a counter for this being used as a tracking cookie:

    https://blog.mozilla.org/security/2021/04/19/firefox-88-combats-window-name-privacy-abuses/

    but this only confined the window.name supercookies to their own sites, meaning it could still be used as a first-party tracking cookie, which becomes more difficult with this extension. And Firefox was supposed to have done its site isolation of window.name already since version 82:

    https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/82#dom

    their contradictory statements showing once again that their announcements can’t be trusted. Could this cross-site supercookie mechanism be used between versions 82 and 88, or not ?

    The non-default level 3 seems to provide also security-related changes (“ArrayBuffer exploitation”, “SharedArrayBuffer exploitation”, “WebWorker exploitation”), this is reminiscent of NoScript bundling various security features, but like in Noscript I would like to know what those problems really are and if they’re not exaggerated. I am also skeptical about having to confirm every xhr request in that level 3.

  9. Ayy said on October 5, 2021 at 5:11 am
    Reply

    I tried this addon a couple days ago, it breaks legit sites and doesn’t have any way to adjust what it blocks, nor does it tell you what it blocks and the only thing you can do is whitelist sites and change the blocking level. Very amateur addon severely lacking in features.

    1. Jeff M.S. said on October 5, 2021 at 8:37 pm
      Reply

      Which level of protection did you use it with it? Does level 1 also break sites?

  10. Anonymous said on October 5, 2021 at 12:21 am
    Reply

    Some here fail te realize that fingerprinting protection is not about just faking who you are, but constantly permutating those values. So, yes, you may be unique, but you’re less trackable.

  11. Dave said on October 4, 2021 at 8:14 pm
    Reply

    What “Pigeonhole Web-Browsing” said.

    Sometimes you want to be tracked, sometimes you don’t.

    Me, I block all JS by default and then allow or more often, temporarily allow, what I need at that moment.

  12. Anonymous said on October 4, 2021 at 7:42 pm
    Reply

    Jshelter anyone?

  13. Pigeonholed Web-browsing said on October 4, 2021 at 6:25 pm
    Reply

    Instead of trying to become a digital locksmith, worrying every browser setting to obtain an ultimately private solution, I’ve found it far more effective to use multiple browsers with each their own separate profile directories. Add UblockO to each for aesthetics and usability.
    I use ungoogled Chromium for YouTube and only for YouTube. Both are Google owned so there ain’t no hiding much from them in those instances.
    Similarly, separate your total browsing into isolated pie wedges. One browser for this, one browser for that…
    My IRL ID, financial/payments and related email address are only ever entered into one highly isolated browser. It’s used for shopping transactions and nothing else, ever.
    Pigeonhole Web-Browsing

  14. Jonn Doe said on October 4, 2021 at 5:13 pm
    Reply

    @JonSnow

    > No matter what you do and what Browser you use you will be tracked.

    I tend to agree, however, If that is the case, would it matter that you try and do something about it? Seeing as you’re unique anyway.

    1. Richard Steven Hack said on October 5, 2021 at 2:43 am
      Reply

      If you like wasting time and effort, go for it.

  15. JonSnow said on October 4, 2021 at 4:43 pm
    Reply

    No matter what you do and what Browser you use you will be tracked. That’s the reality of Internet this days. The best you could to use a Ad-blocker like Ublock O to block ads and basic tracking extension or whatever way you protect yourself….other than that I do nothing else. I can live with that.

    1. Richard Steven Hack said on October 5, 2021 at 2:42 am
      Reply

      Correct. And what no one ever discusses is why it matters. 99.9999% of the population don’t care – or if they say they do, they’re lying because they don’t really do anything to prevent being tracked.

      And 99.9999% of the population aren’t being tracked by any government agency other than the fact that everything they do online *is* captured by the NSA for perusal only when it matters to the NSA. Is this good? No. Can it be stopped? No. Not without dismantling the US government. Ed Snowden was educational but ultimately a waste of time.

      99.9999% of companies are tracking you so they can show you relevant ads. Who gives a rat’s ass? Not that I want to see ads at all (which is why I use an ad-blocker). but if I did I’d *want* to see relevant ads. I wish I could convince Youtube to show me *really* relevant videos on my home page other than the crap in foreign languages they try to show me.

      People need to understand: You can haz better security. You can haz worse security. But you cannot haz “security”. There is no security. Deal. And that applies to privacy.

  16. ULBoom said on October 4, 2021 at 3:43 pm
    Reply

    The more you do to become private, the more unique you become. In order for a request you make (that’s how browsing works, you request information) to be fulfilled, a site has to know to whom the data is to be sent.

    If you block ads and trackers, regardless of method, if you don’t go overboard, browsing will definitely be much smoother and faster but you won’t gain much privacy. You will be harassed far less, though, that’s all I go for.

    After playing with a lot of extensions similar to this one, the brute force, one size fits all approaches such as brave or system level adguard, that are maintained well seem to work the best. The more you try to customize any browser with extensions, the slower it gets and the more likely a scorched earth reinstall will be in your future.

    This utility may look good at first glance; the default setting should definitely prove it’s doing something. How long will it take before you’re down to level 0?

  17. Azzz said on October 4, 2021 at 3:37 pm
    Reply

    I tried it yesterday. So far I have no impressions. But it is not clear how to test it and on which sites for reliability.

  18. Honorius said on October 4, 2021 at 11:38 am
    Reply

    > The protection encapsulates the WebRequest API, so it captures all outgoing requests including all elements created by JavaScript.
    Will die with the release (complete transition) to Manifest v3 by Chrome and browsers based on Chromium.

    1. Iron Heart said on October 4, 2021 at 12:28 pm
      Reply

      @Honorius

      Who cares? Never ever should you employ such extensions to fight fingerprinting, read my reply to @Anonymous to understand why.

      There are Chromium-based browsers with native protections against Canvas fingerprinting, such as Brave or Bromite. They were never in need of an extension that doesn’t solve the problem anyway.

  19. Anonymous said on October 4, 2021 at 10:07 am
    Reply

    wonder if and how it interferes with canvasblocker and/or ublock?

    1. Iron Heart said on October 4, 2021 at 12:26 pm
      Reply

      @Anonymous

      > canvasblocker

      Eww, please no. This extension generates vastly different output compared to the built-in protections of the browser. The output of this extension is unique to the extension, and you are thus within the (small) pool of users of the extension, for all to see. And protecting Canvas alone is pointless anyway as there are many other values that can be checked just as well.

      1. Anonymous said on October 4, 2021 at 4:51 pm
        Reply

        > And protecting Canvas alone is pointless anyway

        Rubbish. It fools naive scripts

      2. Iron Heart said on October 4, 2021 at 5:57 pm
        Reply

        @Anonymous

        Good luck then. Many scripts check for more than just Canvas.

      3. Anonymous said on October 7, 2021 at 12:03 pm
        Reply

        > Many scripts check for more than just Canvas

        But they still check for canvas which is the point because it’s randomized and fools naive scripts

        Brave doesn’t protect fonts or timezone or any of another hundred things. By your logic Brave doesn’t work against naive scripts either then

      4. Anonymous said on October 6, 2021 at 7:26 pm
        Reply

        thx for the exlanation! (wasnt me answering above)

  20. Anonymous said on October 4, 2021 at 9:20 am
    Reply

    highly fingerprintable, leaks like a sieve, doesn’t cover enough anywhere near enough to prevent high entropy, breaks legit JS left right and center, lacks enough hooks into APIs to do the job properly

    leave it to built-in browser solutions like Brave’s token randomizing or Tor Browser’s comprehensive mitigations

    1. Gerard said on October 4, 2021 at 10:48 am
      Reply

      Please back up your allegations with evidence.

      1. Iron Heart said on October 4, 2021 at 12:16 pm
        Reply

        @Gerard

        The guy above is correct. Read this comment by security researcher Daniel Micay:

        “Providing the offer to disable features to reduce attack surface can be useful. Doing it to prevent fingerprinting is utter nonsense since by changing any settings that sites can detect you have made yourself far more easily fingerprinted. Disabling WebRTC and WebGL would make you far easier to fingerprint, not harder. These sites encouraging things like that is a problem.”

        source: https://old.reddit.com/r/GrapheneOS/comments/ciizae/vanadium_and_bromium_privacy/ev6m2ot/

        Here, Whonix developer madaidan on the matter:

        “Configuring / “Hardening” the Browser

        You cannot configure your browser to prevent tracking either. Everyone will configure their browser differently so when you change a bunch of about:config settings, such as privacy.resistFingerprinting, and pile on browser extensions like Privacy Badger, you’re making yourself stand out and are effectively reducing privacy.

        Additionally, just disabling JavaScript, while preventing large vectors for fingerprinting, does not prevent fingerprinting entirely. Fingerprinting can be done with only CSS and HTML. One example is using @media rules to figure out your browser resolution.

        You also cannot substantially improve security by configuring the browser. Changing a few settings will not fix deep architectural security issues. You can at most reduce some attack surface by disabling things, but most people don’t do this to an extent where it actually matters.”

        source: https://madaidans-insecurities.github.io/browser-tracking.html#configuring-the-browser

        Also, read this thread very carefully:

        https://old.reddit.com/r/privacytoolsIO/comments/iepjwh/wont_reducing_your_browser_fingerprint_have_the/

        The only people who believe that you can “fix” browser fingerprinting via extensions or alternatively user.js files doing similar shit are the self-important maintainers of these non-fixes. The only way not to stand out is for browsers to behave the same while protecting these values, like the Tor Browser Bundle or Brave attempt to do. Installing Firefox or any other browser, with everyone modifying it here and there does not reduce your uniqueness, it is utter bullshit.

      2. Yash said on October 4, 2021 at 1:18 pm
        Reply

        “The only way not to stand out is for browsers to behave the same while protecting these values, like the Tor Browser Bundle or Brave attempt to do.”
        Can you explain Brave browser attempts properly? How many values it protects, and more important name of some values it protects?

      3. Gerard said on October 4, 2021 at 1:13 pm
        Reply

        I didn’t say the guy was wrong. He should thank you for doing what he failed to do.

      4. Anonymous said on October 4, 2021 at 2:52 pm
        Reply

        Iron Heart didn’t even answer the question

        Iron Heart’s fingerprinting knowledge is disgustingly abysmal, bordering on criminal. He doesn’t know how entropy, fingerprinting or linkability works

        Here’s a tiny snippet of his lack of knowledge on the subject
        https://www.ghacks.net/2021/07/31/how-firefoxs-new-smartblock-feature-works/#comment-4501396
        https://www.ghacks.net/2021/07/31/how-firefoxs-new-smartblock-feature-works/#comment-4501361

        Iron Heart just likes to link and quote non-fingerprinting experts out of context to make himself look smart

        This is not about fingerprinting metrics (there is that) but the actual extension. Extension APIs are limited, and this makes it hard to plug all the leaks. Workers in particular are an issue which is why you find extensions killing them. And there can be timing, injection, and perf issues. And then there’s this little fact

        reading
        https://palant.info/2020/12/10/how-anti-fingerprinting-extensions-tend-to-make-fingerprinting-easier/
        https://news.ycombinator.com/item?id=25374383
        https://abrahamjuliot.github.io/creepjs/tests/prototype.html

        levels 2+3
        – the version of creepjs prototype linked above is out of date. Newer versions of it are improved to evade evasion tactics used in a game of whack-a-mole (proxy lies), but not needed for JS redirector it seems. The test linked is a detailed scan. On level 3 it errors out. On level 2 it returns 194 lies detected in 50 of 2022 properties on Firefox
        – the creepjs test can also be run in a less detailed mode, the important bit is the 50 properties (not necessary used to lie, but cannot be trusted): FYI: levels 2 + 3 are the same: 50 properties
        – the order of navigator keys is uniquely altered when comparing a loop vs prototype
        level 3
        – 37 window properties moved after constructor: including a unique set of at least 13 not seen elsewhere
        – other telltale signs such as errors like “Permission denied to access object”, or Date.split()
        level 2
        – 24 window properties moved after constructor: including a unique set of at least 6 not seen elsewhere
        level 1
        – not meaningful

        and that’s just for starters

      5. Iron Heart said on October 4, 2021 at 4:50 pm
        Reply

        @Anonymous

        > Iron Heart’s fingerprinting knowledge is disgustingly abysmal, bordering on criminal. He doesn’t know how entropy, fingerprinting or linkability works

        But you do? I have not seen anything in regards to that, either.

        And the links you’ve pointed to… Yeah, people, go ahead and read the entire thread then. I am discussing with a believer in snake oil like user.js files there. Fun read indeed.

        > Iron Heart just likes to link and quote non-fingerprinting experts out of context to make himself look smart

        How am I quoting them “out of context”? I am not a quote shortener, and the entire context, or indeed, the entirety of the posts I’ve quoted from (and linked to, for all to read) indicate that they are not fond of snake oil like user.js “templates”.

        Yeah, I guess developers of f*cking Whonix and GrapheneOS have much less of an idea of fingerprinting than some self-important user.js author (with whom you have nothing to do, I am 1000% sure) who has never written a single line of code and only knows the defenses from the results of testing suites. Yes, I do believe that. /s

      6. Developers Developers Developers said on October 5, 2021 at 10:31 pm
        Reply

        > developers of f*cking Whonix and GrapheneOS have much less of an idea of fingerprinting than some self-important user.js author (with whom you have nothing to do, I am 1000% sure) who has never written a single line of code and only knows the defenses from the results of testing suites.

        LOL:) “f*cking Whonix” is a joke and only code they write is comments in scripts. Dont know much about Sir Micay, but he seems to be more hysterical than productive and tends to invent problems out of thin air, just like uneducated whonix “devs” and our dear Iron Heart.

      7. Iron Heart said on October 6, 2021 at 2:53 pm
        Reply

        @Developers Developers Developers

        These guys are still much more knowledgeable than any irrelevant author of a “change 1001 settings in Firefox and everything will be alright” bandaid script. Deal with it.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.