New Update JShelter - JavaScript Restrictor

Add-on/Extension Page
https://jshelter.org/

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,697
Update to 0.15.2
JShelter: Release history

Still using this at default settings in Chrome/Edge browsers with no problems whatsoever.
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,697
JShelter: Release history Updated to v0.16
  • Remove Workers in Recommended JSS level to make JShelter compatible with some pages. This change might be reverted when Pagure issue 80 is solved.
  • FPD: Add possibility to learn the calling stack of functions that lead to the tracked APIs (Pagure issue 52). This information can be used to create block list or to study the calling code and its effects.
  • FPD: Fix browser overloading by FPD messages by HTMLElement.prototype.offsetHeight and offsetWidth wrappers that might have crashed browsers.
  • FPD: code cleanup
 
F

ForgottenSeer 97327

@ oldschool
Yes, seems they geared the default/recommended towards usability (y) Although I am uncertain about the "network boundery shield". Lately uBO dropped that filter (protect network). Also I cheched an adult website and a news website which both triggered warnings in the past. Now they stay at 3 (adult) and 4 blocks (news website). I have tested JShelter in the past and think to remember that 5 warnings triggered a red alert and a value above three made JShelter color yellow (with the warning that this website likely fingerprinted you). JShelter still triggers a warning for browserleaks.com (r.g. canvas fingerprint), indicating that they have improved userability. (y)
 
Last edited by a moderator:

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,697
they have improved userability. (y)
That's their main objective with updates, aside from adaptation to changes in browser code, APIs, etc.
At the same time, we are aware of several JShelter bugs and issues. We are working on making JShelter bug-free. We do not want to break benign pages. Fixing some issues takes time. Other issues need balancing between several options. JShelter is meant to be used with (ad)blockers like uBlock Origin. Using a blocker will make your online activities considerably safer. At the same time, it will make JShelter break fewer sites.


Right now, JShelter will need more interaction from you than we would prefer. Some protection needs improvements. Some functionality needs to be included. When we achieve the state of fixing the bugs and making JShelter easy to manage, we will release version 1.0. If you are unwilling to tweak JShelter occasionally, consider returning once we release version 1.0. Otherwise, try other options.
 
F

ForgottenSeer 97327

I believe you are correct sir, but I can't remember ATM.
The pop-up screen now also mentions how many API's are misused. Seems they have redesigned and improved the blocking/warning logic.

1697962017007.png
 
Last edited by a moderator:
F

ForgottenSeer 97327

Its not very popular extension thats why im considering of using it, feels like its like trace used to be ( trace discontinued in 2021) Atleast the extension is recommended on the chrome store
There are a few reasons why it is/was not popular:
1. When JShelter started, they set the defaults to tight (e.g. blocking third-party XMLHTTPrequest) which sort of made it a hard to use extension.
2. Although it is hyped a lot (fingerprinting), it is not much used in daily practice (advertisers have enough other means to track you).
3. Some of their API-wraps were relatively CPU expensive, negatively influencing the cost (relatively high CPU) - benefit (few websites use fingerprinting) decision

As Oldschool confirmed, they have balanced their settings (in favor of usability) and have improved in API-wrapping effectiveness (less CPU), so it gradually becomes a feasible option for most (even on my medium-low spec PC it runs fine now). In short with JShelter you get 90% of Brave fingerprinting protections and a bit more than Firefox resist fingerprinting on Chromium based browsers with the benefit of using the mode of operation you like best (e.g. default with website whitelist exceptions or default off with strict or default protection on selected/blacklisted 'murky' websites).

So thank you to the MT-members for keeping this thread alive (@oldschool, @n8chavez, @Kongo, @Jan Willy, @Moonhorse, @simmerskool).
 
Last edited by a moderator:

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,697
Its not very popular extension thats why im considering of using it, feels like its like trace used to be ( trace discontinued in 2021) Atleast the extension is recommended on the chrome store
JShelter is not a one-man show like Trace. It grew out of the graduate studies of quite a few people but of course anyone interested may contribute to the project as its open-source, unlike Trace. They also continue to update the site with blog posts, etc.
This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310 as JavaScript Restrictor and JShelter projects. This project was supported by the MV CR VI20172020062 project.
JShelter: Credits
Are there any compatibility problems with Av?
I can't see any reason why there would be. AFAIK AVs don't interfere with browser extensions, at least that I've heard of.
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,697
Updated to v. 0.17 JShelter: Release history

Release history

0.17
  • Added support for built-in tweaks for specific domains. The goal is to list several domains that break unnecessarily. Typically, an addition to the list should be well explained and must not lower protection. A nice candidate is WebWorker and the protection of Strict (break) and Remove.
  • Updated translations
  • Improved FPD report based on user feedback:
  • Do not refresh report automatically when tracking callers but introduce an update button so that users refresh when convenient (prevent glitches in the interfaces)
  • Add buttons to hide/show details and fold/unfold groups
  • Do not show traces in bold to better differentiate between API names and traces.
  • Add possibility to forget current traces. Useful when there is a fingerprinting script that activates after some action. The button allows the user to hide the traces triggered in the past and later load only new traces.
  • Add support for signing for Android on AMO, so we needed to increase minimal supported version
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,697
From the link in post about:

First step towards MV3​

Fri 19 April 2024

We have been working on migration to Manifest v3 (MV3) for some time and today we are shipping a JShelter version 0.18 that implements stateless replacement for background pages which is a first step towards MV3.
MV2 extensions were allowed to create background pages. These pages allow running JavaScript code and keep state like variables for the whole browser session. Essentially, all background pages started with the browser and lasted until the user closed the browser. Hence, we could utilize background pages to safe all information needed to be kept in memory. For instance, JShelter needs to store:
  • hashes used as a seed for JavaScript shield anti-fingerprinting protection,
  • number of API calls needed for Fingerprint detector, which the user can see in the pop up and fingerprinting report,
  • information needed to keep pop up icon dynamic,
  • etc.
We needed to solve issues related to the migration of all these information from regular JavaScript variables to Web Storage. As we expect that other extensions need to solve the same problem, we created a stateless NSCL branch. Among others, we needed to solve the issue of writing to the storage too frequently. As the core of JShelter is heavily stateful, we needed to rewrite important parts that were in the code base for years and were proven to work.
JShelter has repeatable tests and we run additional testing, especially under circumstances like this change. Everything should run the same as it used to work in 0.17. However, please be cautious and report back any odd behavior that you encounter with 0.18 and later versions.
Migration to stateless or non-persistent background pages is needed for MV3 but it is still not a final step. Expect other major changes in JShelter core code including removal of Network Boundary Shield for Chromium-based browsers soon. Hence, keep cautious also in the following months and report back any issues that you encounter. Have a look at our Release page for more information about the changes in JShelter.
This post is part 3 of the "Manifest v3" series:

  1. What is Manifest v3 and how it affects JShelter
  2. "Fixing" Manifest V3
  3. First step towards MV3
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,697
JShelter: Release history
Release history
0.18.1
Fix the scope where updateCount used by FPD is created (Pagure issue 141. Although the function was not visible to page scripts, page script could have define their own function with several consequences as JShelter would call the page script function:

FPD would not learn about the calls and consequently would not detect fingeprinting attempts by the page,
pop up would not show calls to the wrapped APIs,
the page would be able to detect that JShelter is being installed,
if the page would not expect that someone is calling its function it can have any undesired consequences.
The bug was present in JShelter since the introduction of FPD in 0.6 and all versions up to 0.18 are affected.
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,697
JShelter 0.19
  • First Manifest V3 release, using only MV3 APIs on Chromium-based browsers.
  • Updated NoScript Commons Library dependency to the mv3 branch.
  • All browsers: fixed UI popup failing to render when opened first time after long inactivity
  • Chromium-only: user-facing warnings about developer mode being currently required on MV3.
  • Chromium-only: removed Network Boundary Shield (unimplementable in current MV3).
  • Chromium-only: removed blocking mode Fingerprinting Detection (unimplementable in current MV3).
JShelter: Home
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top