FSF announces JShelter browser add-on to combat threats from nonfree JavaScript

by Greg Farough — Published on Sep 30, 2021 04:41 PM

BOSTON, Massachusetts, USA – Thursday, September 30th, 2021 – The Free Software Foundation (FSF) today announced the JShelter project, an anti-malware Web browser extension to mitigate potential threats from JavaScript, including fingerprinting, tracking, and data collection. The project is supported by NLnet Foundation’s Next Generation Internet (NGI) Zero Privacy & Trust Enhancing Technologies fund. Collaborators include Libor Polčák and Bednář Martin (Brno University of Technology), Giorgio Maone (NoScript), and Ana Isabel Carvalho and Ricardo Lafuente (Manufactura Independente). The JShelter browser add-on is in development and the first release is available.

Most modern Web sites contain a growing number of programs that the user’s Web browser downloads and runs automatically as pages are loaded. While these JavaScript programs can provide functionality to a site in conjunction with native browser features, they are also a significant liability both from security and privacy perspectives. Moreover, the software is typically licensed under unethical terms by the FSF’s standards, disempowering users and hampering learning and security. With a thirty-six year history of defending software ethics, The FSF recognizes the importance and urgency of both aspects of the problem and its role in solving this significant challenge. In response, the FSF has been working on an ambitious new initiative, the JShelter browser extension. This browser add-on will limit the potential for JavaScript programs to do harmful actions by restricting default behavior and adding a layer of control. JShelter is a significant next step in the FSF’s “Free JavaScript Campaign,” providing a new tool that can be used in conjunction with another related extension, GNU LibreJS, which allows the user to identify and run only freely licensed scripts.

FSF campaigns manager, Greg Farough said: “Besides providing much-needed protection for users, JShelter will help the FSF demonstrate the power and usefulness of free ‘as in freedom’ software, serving as a conversation starter about the ethical necessity of free software and the dangers of nonfree software while using the Web. We thank NLnet Foundation for recognizing the importance of free software and investing in the FSF’s strategy for free JavaScript on the Web.”

Accessing cookies, performing fingerprinting to track users across multiple sites, revealing the local network address, or capturing the user’s input before they submit a form are some examples of JavaScript’s capabilities that can be used in harmful ways. JShelter adds a safety layer that allows the user to choose if a certain action should be forbidden on a site, or if it should be allowed with restrictions, such as reducing the accuracy of geolocation to the city area. This layer can also aid as a countermeasure against attacks targeting the browser, operating system, or hardware levels.

The JShelter project is a freely licensed, anti-malware browser extension to mitigate potential threats from JavaScript. The project’s website is at https://jshelter.org/. It will ask – globally or per site – if specific native functions provided by the JavaScript engine and the Document Object Model (DOM) are allowed by the user. It will also link to an explanatory page for each function, to raise awareness of related threats. Depending on the function being addressed, the user will have the option to allow it, block it, or have it return a custom value.

“JShelter will help protect users from critical threats now, and contribute significantly to progress on the necessary longer-term cultural shift of moving away from nonfree JavaScript. This is a project I’ve been looking forward to for years, tired of dealing with all kinds of potential antifeatures in the browsers I use and distribute, and having to figure out some countermeasure for them with configuration changes, patches or extensions,” shared Ruben Rodriguez, former FSF chief technology officer. “Being able to wrap the JavaScript engine in a layer of protection is a game changer.”

“Our browsers have become perhaps the most critical of tools we depend on, and yet the browser environment is far from healthy,” says Michiel Leenaars, director of strategy at NLnet Foundation and coordinator of NGI Zero. “Dominant corporate behavior from a small amount of actors has been aggressively reshaping the evolution of the Web, and that is starting to wreak havoc. Despite an enormous systemic dependency, we as users have very little control over what browsers allow and share – leading to significant risk as the most powerful tools in the shed are essentially left unprotected for every casual Web site to abuse. JShelter is a great initiative to help empower us all, to help us gain better understanding and to better safeguard ourselves from obvious and otherwise unavoidable harm.”

The effort is part of a larger, multi-year campaign from FSF on JavaScript on the Web started in 2013, which among others includes the development of GNU LibreJS and outreach to users and developers about nonfree software inside the browser. The GNU LibreJS extension detects JavaScript web labels and assists users with running only JavaScript distributed under a free software license, according to their ethical convictions and individual preferences.

JShelter will form a core part of the FSF’s general recommendations for how to use the Web without ethical compromise. In conjunction with the GNU LibreJS extension, a fully free distribution of the GNU/Linux operating system, and a Respects Your Freedom (RYF) certified computer, it will help users move toward the FSF’s vision of a world where computing upholds, rather than diminishes, their individual rights.

About the Free Software Foundation

The Free Software Foundation, founded in 1985, is dedicated to promoting computer users’ right to use, study, copy, modify, and redistribute computer programs. The FSF promotes the development and use of free (as in freedom) software – particularly the GNU operating system and its GNU/Linux variants – and free documentation for free software. The FSF also helps to spread awareness of the ethical and political issues of freedom in the use of software, and its Web sites, located at https://fsf.org and https://gnu.org, are an important source of information about GNU/Linux. Donations to support the FSF’s work can be made at https://donate.fsf.org. Its headquarters are in Boston, MA, USA.

More information about the FSF, as well as important information for journalists and publishers, is at Press Information — Free Software Foundation — Working together for free software.

About the NLnet Foundation

Started in 1989, Stichting NLnet is an independent, recognized philanthropic nonprofit foundation that stimulates network research and development in the domain of Internet technology. The articles of association for the NLnet foundation state: “to promote the exchange of electronic information and all that is related or beneficial to that purpose.” The foundation actively engages with the global internet community in many ways, with a joint goal to create a better, safer, and more secure Internet for tomorrow. More information about Stichting NLnet can be found at NLnet; About NLnet foundation.

About the Next Generation Internet initiative

The Next Generation Internet (NGI) initiative (https://NGI.eu), launched by the European Commission’s DG CNECT in the autumn of 2016, aims to shape the future Internet as an an inclusive and value-centric Internet for all: resilient, trustworthy and sustainably free. The overall mission of the Next Generation Internet initiative is to re-imagine and re-engineer the Internet for the third millennium and beyond. The information age should be an era that brings out the best in all of us. NGI wants to enable human potential, mobility and creativity at the largest possible scale – while dealing responsibly with our natural resources.

In practical terms, the NGI initiative is carried out by ambitious efforts supporting the concrete development of free software and hardware and new standards – such as NGI Zero (NLnet; About NGI Zero), which is a joint initiative by NLnet Foundation, Accessibility Foundation, Association for Progressive Communications, Center for the Cultivation of Technology, Network Security Group of Eidgenössische Technische Hochschule Zürich, Free Software Foundation Europe, ifrOSS, NixOS Foundation, Petites Singularités, Radically Open Security, and Translate House. NGI Zero receives funding from the European Union’s Horizon 2020 research and innovation program under grant agreement No 825310 and 825322.
FSF announces JShelter browser add-on to combat threats from nonfree JavaScript — Free Software Foundation — Working together for free software