Gruss, 2018), little-lies-based fingerprinting preven-
tion (Nikiforakis et al., 2015; Pierre Laperdrix, 2017),
and ideas for limiting APIs brought by Web API Man-
ager (Snyder et al., 2017). JShelter comes with a
heuristic-based fingerprint detector and prevents web
pages from misusing the browser as a proxy to access
the local network and computer. We solved issues
with reliable environment modifications that stem
from insufficient webextension APIs that open many
loopholes that previous research exploited (Shuster-
man et al., 2021). In addition to JShelter, we in-
troduced NSCL. Both NoScript Security Suite and
JShelter include NSCL. Moreover, NSCL is available
for other privacy- and security-related webextensions.
In cooperation with Free Software Foundation, we
aim for long-term JShelter development; thus, users’
privacy and security should be improved in the future.
ACKNOWLEDGEMENTS
This project was funded through the NGI0 PET Fund,
a fund established by NLnet with financial support
from the European Commission’s Next Generation
Internet programme, under the aegis of DG Commu-
nications Networks, Content and Technology under
grant agreement No 825310 as JavaScript Restric-
tor and JShelter projects. This work was supported
in part by the Brno University of Technology grant
Smart information technology for a resilient society
(FIT-S-23-8209).
REFERENCES
APD (2022). Decision on the merits 21/2022 of 2
February 2022. APD — Autorit
´
e de protec-
tion des donn
´
ees. Available online at https:
//www.autoriteprotectiondonnees.be/publications/
decision-quant-au-fond-n-21-2022-english.pdf,
unofficial translation from Dutch.
Bergbom, J. (2019). Attacking the internal network
from the public internet using a browser as a
proxy. Forcepoint research report available at https:
//www.forcepoint.com/sites/default/files/resources/
files/report-attacking-internal-network-en 0.pdf.
Englehardt, S. and Narayanan, A. (2016). Online tracking:
A 1-million-site measurement and analysis. In CCS
’16, pages 1388–1401.
Fietkau, J., Thimmaraju, K., Kybranz, F., Neef, S., and
Seifert, J.-P. (2021). The elephant in the background:
A quantitative approach to empower users against web
browser fingerprinting. In WPES ’21, page 167–180.
Gruss, D., Bidner, D., and Mangard, S. (2015). Prac-
tical memory deduplication attacks in sandboxed
Javascript. In Computer Security – ESORICS 2015,
pages 108–122. Springer International Publishing.
ICO (2019). Update report into adtech and real
time bidding. ICO — Information Commis-
sioner’s Office. Available online at https://ico.
org.uk/media/about-the-ico/documents/2615156/
adtech-real-time-bidding-report-201906.pdf.
Iqbal, U., Englehardt, S., and Shafiq, Z. (2021). Finger-
printing the fingerprinters: Learning to detect browser
fingerprinting behaviors. In IEEE Symposium on Se-
curity & Privacy, pages 1143–1161.
Laperdrix, P., Bielova, N., Baudry, B., and Avoine, G.
(2020). Browser fingerprinting: A survey. volume 14.
ACM.
Matte, C., Bielova, N., and Santos, C. (2020). Do cookie
banners respect my choice? Measuring legal compli-
ance of banners from IAB Europe’s Transparency and
Consent Framework. In 2020 IEEE Symposium on Se-
curity and Privacy (SP), pages 791–809.
Michael Schwarz, M. L. and Gruss, D. (2018). Javascript
zero: Real javascript and zero side-channel attacks. In
NDSSS 2018.
Mozilla Bugzilla (2016). [meta] Page CSP should not apply
to content inserted by content scripts (v2 issue). Avail-
able online at https://bugzilla.mozilla.org/show bug.
cgi?id=1267027.
Nikiforakis, N., Joosen, W., and Livshits, B. (2015). PriVar-
icator: Deceiving fingerprinters with little white lies.
In WWW ’15, pages 820—-830.
Pierre Laperdrix, Benoit Baudry, V. M. (2017). FPRandom:
Randomizing core browser objects to break advanced
device fingerprinting techniques. In 9th International
Symposium on Engineering Secure Software and Sys-
tems, page 17.
Pol
ˇ
c
´
ak, L. and Je
ˇ
r
´
abek, K. (2023). Data protection and se-
curity issues with Network Error Logging. In Pro-
ceedings of the 20th International Conference on Se-
curity and Cryptography. SciTePress - Science and
Technology Publications.
Shusterman, A., Agarwal, A., O’Connell, S., Genkin,
D., Oren, Y., and Yarom, Y. (2021). Prime+Probe
1, JavaScript 0: Overcoming browser-based Side-
Channel defenses. In USENIX Security 21, pages
2863–2880.
Snyder, P., Ansari, L., Taylor, C., and Kanich, C. (2016).
Browser feature usage on the modern web. In IMC
’16, pages 97–110.
Snyder, P., Taylor, C., and Kanich, C. (2017). Most web-
sites don’t need to vibrate: A cost-benefit approach to
improving browser security. In CCS ’17, pages 179–
194.
SECRYPT 2023 - 20th International Conference on Security and Cryptography
294