NOTE: It's early on in the development process, so a lot can and will change.
An extension that helps user dynamically analyze a site and recommends
appropriate more strict cookie security flags, including Secure;,
SameSite=[Lax|Strict];, and HttpOnly; and cookie prefixes __Secure-*
and __Host-*.
The modern web heavily relies on HTTP Cookies, some of which are used to track users, invading their privacy. Since cookies have "dual use" (for privacy-invading trackers as well as useful features), the user can not disable cookies without breaking the majority of the sites online. This extension aims to inform the user of the potential privacy risk associated with specific cookies. It aims to perform only a small set of functions and do them well. In general, the user should also use other software to protect own privacy, because cookies are not the only technology used for tracking. Please refer to "This extension is not" for a summary of what other software you might want to use together with this extension.
- A method to visualize HTTP cookies and their contents and behavior TODO: write details
- Network filter, sometimes referred to as ad blocker.
The best way to ensure a connection does not disclose any information
is to block the connection entirely. (E.g., even a mere act of
establishing a connection already leaks user IP address.) Request
blocking is implemented by many other software solutions:
- uBlock Origin (not to be confused with uBlock) is a browser extension widely praised for versatility, efficiency, absence of monetary conflicts of interest, and a good privacy policy.
- uMatrix is sometimes referred to as uBlock Origin for advanced users
- Privacy Badger
- AdGuard has browser extensions and stand-alone network filters
- Adblock - a commercial product, with "Acceptable Ads" controversy
- Adblock Plus - another commercial product, also tainted by "Acceptable Ads" controversy
- Firefox has "Tracking Protection" (limited to Disconnect filters)
- Brave browser has a built-in filter engine
- Opera browser has a built-in filter engine
- Yandex.Browser has a built-in filter engine (and whitelist for tracking services provided by Yandex itself)
- HTTPS enforcer (mixed content resolver) HTTP is a plaintext protocol, which means someone can temper with it in transit. Specifically, "man in the middle" can observe all transmited information and modify it. User should always be cautious when visiting HTTP pages, and prbably use extension that forces HTTPS for content available over HTTPS. "HTTPS Everywhere" is a a great tool for that.
This extension exists to fulfill only one goal -- to protect user's privacy -- therefore:
- All user information is stored locally in the user's browser and is never shared with anyone.
- All information is discarded as soon as it is no longer needed.
- The user can delete all collected information at all times.
- This extension runs with the least API permissions possible. See API Permissions Policy for details.
This extension runs with the least API permissions possible.
- Each permission is declared "optional" if it is practical.
- On the first install, the user should go into the extension options and enable all the desired features (and give the permissions).
- Permissions are removed if they are no longer required (and requested again if the user activates feature requiring the permission). The browser might not prompt the user every time if the user granted the permission already.
The actual permissions include: TODO: write stuff
Nothing can be private unless it is secure, therefore this extension takes the following precautions:
- Uses the least API permissions possible
- Reasonable CSP
The extension relies on npm modules and webpack for building.
To get started, follow these steps:
- Download official Node.js installer and install it
- Clone this repo somewhere and
cdinto that folder - Install all dependencies with
npm i - Download Font Awesome icons with
npm run icons - Now you can build and rebuild the extension with
npm run build
Just edit files in source/common and rebuild the extension (step 5) and test it.
This extesion uses the following npm modules: TODO: WRITE WHICH ONES
source/*WebExtension source codesource/common/*contains code shared among all WebExtension extensionssource/common/background/*contains all background scriptssource/common/background/cookiestore.jsmaintains the cookie database
source/common/pages/*contains all the interfacessource/common/content_scripts/*contains all the code interacting with the page from its own contextsource/common/web_accessible_resources/*contains all the code injected into the page context
source/chromium/*contains Chromium-specific codesource/firefox/*contains Firefox-specific code
build/*contains all the builds generated from the source codenode_modules/*is the land ofnpm, don't go there
The extension is built for WebExtensions API,
which is supported by modern Chromium, Firefox, and Microsoft Edge browsers. Specifically, it requires following APIs: cookies,
storage, and optionally (recommended) webRequest.
Chromium is the primary target for this extension development, because of
This extension requires Chromium 26 and up because it relies on chrome.cookies API,
however SameSiteStatus is accessible only in Chromium 51 and up. source
Doesn't work with Firefox yet, but will eventually.
Does not support Microsoft Edge, but might eventually.
Probably will never support Apple Safari natively, because Safari does not support WebExtensions API. Even then, Safari support is not a priority currently. Might support Safari in a distant future via a polyfill library.