NBS: do not show notifications for hostnames resolving to undefined IP addresses as described in FAQ (broken in 0.11 that does not show notifications only for undefined IP addresses, but shows notifications for hostnames resolving to undefined IP addresses)
Reset window.name only on eTLD+1 changes
Farbling: Use eTLD+1 instead of origin to generate hash
FPD: Clear storage during navigation (prevent the page from storing the hash to a local storage
and loading the hash after page reload)
FPD configuration: Decouple notification and behaviour settings. Let a user to optionally disable notifications without strict effect on behaviour
Improve CSP of the extension pages, fix broken favicons in FPD report
NBS: Block requests to undefined IP address (0.0.0.0 or [::]) but do not show notifications
Fix extension initialization in permanent private mode
options: Add external links to JShelter.org FAQ and threat model
Add favicons to options pages
Remove unused icons
Add wrappers modifying calls detecting supported media types and installed codecs (Multimedia playback), github issue 66
Add wrappers disabling Network Information API inspired by Brave, github issue 66
Add wrappers disabling Web NFC API, github issue 66
Add wrappers for Cooperative Scheduling of Background Tasks API, github issue 66
Add wrappers for User idle detection, github issue 66
Add possibility to set NBS as passive (notify user but do not block), github issue 66
Fix Web Audio wrappers (Pagure issue #16)
FPD Report allows exporting data as JSON
Modified FPD wrappers independent on JSS
FPD can be configured as strict (more aggressive fingerprinting detection)
Better storages removal through content script in the absence of browserData permissions by FPD
Fix early loading of module configuration (FPD used to be disabled after first installation)
FPD initialization reworked
Add support for customizing settings for file:// scheme (Github issue #180)
Improve config checker in advanced options
Improved English, naming consistency, and some descriptions
Apply Content-Security-Policy to webextension pages
Firefox: deactivate window.name wrapper for Firefox; Firefox provides protection since 88 and
JShelter wrapper brakes pages
Enable webworker wrappers by default, see the paper https://arxiv.org/abs/2204.01392, §4.3
Tidy up popup UI and FPD report UI
Show wrapper groups descriptions in options.html
Add "Turn fingerprinting protection off" level. As the AFPD shows the likelihood of fingerprinting, some users might be tempted to trade some performance gain for no protection against fingerprinting. See for example Github #179.
Fix displaying empty FPD report
Add FPD report page
Show fingerprinting likelihood in the popup and badge icon colour
GPS wrapper reimplemented to use farbling (simulate a stationary device for per domain and
sessions), previously each page load generated a new position
Reorganize canvas reading wrappers, all are in the same group
Security review and hardening of the wrappers
Do not change values depending on activated tweaks
Remove obvious reversibility of the canvas farbling
Unify wrapping between H-C and WEBGL
Unify the wrappers in Strict and Farbling wrapping of WebGL parameters (some were farbled but not disabled on Strict)
Farbling of WebGL parameters spread more wildly to hide the correct
number (that might have been revealed after several visits)
WebGL: Farble renderer and vendor the same way as unmasked versions
Remove possible dependencies between multiple wrapping groups using
Strict: Return empty UNMASKED VENDOR and RENDERER - Previosuly, these values depended
on the domainHash, that meant that the unique value could be used to uniquely fingerprint the device.
Harden WEBA farbling
Scramble the output of PRNG with domainHash to prevent guessing the
Try to improve speed as possible but the wrapping is likely slower
Github #125: Add option to disable NBS notifications, limit the number of notifications
Fix Pagure #18 Optional permissions for AFPD - it is not necessary to give browsingData
Allowlist options in NBS and FPD changed breaking backwards compatibility
When optionally activated, wrap BigInt typed arrays the same way as other typed arrays
Apply proper shielding for navigator.plugins in Firefox.
Hide FPD notification after a while to prevent windows notification spam in chromium-based browsers
Unified way to disable each component in the pop up. This should prevent users from disabling NBS
thinking they disabled JSS.
Pop up redesigned. Try not to confuse the user about global/per-page settings.
group of wrappers for certain domain only without the necessity to create a new level.
The wrapping strength is defined by the user with a range input.
The badge icon does not show level ID anymore. JShelter shows the number of wrapping groups
accessed by the current page. Report the number of calls for wrapped APIs in the pop up.
Level 1 removed as it was not properly maintained.
Timestamp protection in level 2 increased to match level 3.
XHR wrappings and (sharred) array buffers not wrapped anymore as XHR is superseded by FPD and
array buffers break other APIs.
New experimental level added that is based on original level 3.
Better and much longer description of built-in levels.
Added support for device rotation. Accelerometer, LinearAccelerationSensor, GravitySensor, and Magnetometer now adjust the gravity vector by the rotation matrix.
AmbientLightSensor, Gyroscope, AbsoluteOrientationSensor, and RelativeOrientationSensor wrappers added.
Accessibility improvements in pop up.
New colour scheme based on the logo and JShelter.org web site for both light and dark theme.
Load FPD settings from advanced options correctly.
Some inconsistences in update mechanism of hardware and enumerateDevices found and fixed.
Level settings are not backward-comptible, backup 0.6.x configuration if you plan to downgrade.
Update NSCL to work around a change in Chrome permissions:
Use HTTPS endpoint for Chromium (works around lack of file access by default on packed extensions), see
Also includes a work-around for object element initialization inconsistencies on Firefox
Fix wrapping of navigator.plugins in Firefox. This regression appeared in 0.6 in the generated code resticted by apply_if condition.
Make sure that dynamically created iframes are not vulnerable to leaking unwrapped APIs (Update NSCL)
Fix FPD when run in a limited environment
Do not interfere with time explicitely given to Date object
Fix Network Boundary Shield name in the popup
Fix required permissions for Chromium-based browsers - webNavigation is not needed
Disable FPD by default, you are welcome to opt-in
Provide access to advanced options from the main options page
Fix update script to migrate to new configuration
New protection: Fingerprint detector, see the blogpost for explanation.
Physical environment wrapper group added. It contains Sensor, Magnetometer, Accelerometer, LinearAccelerationSensor, GravitySensor wrappers. Some readings might be inconsistent. Gyroscope and Orientation sensors will be a part of a future release.
It is possible to import/export configuration (Github issue #159).
Improved accessibility of the pop up and option pages.
Bugfix: Fix double injection of some wrappers. For example, this solves regression in Geolocation
wrapper introduced in 0.5.
Tighter content script initialization
Bugfix: wrap Navigator.prototype and Geolocation.prototype instead of navigator and
Remove additional Geolocation API objects when Geolocation is disabled completely
Icons updated and synced with the JShelter website
Dark style support added (Github issue #134)
Bugfix: Removal of debugging noise (Github issue #139)
Bugfix: Allow removal of user-defined levels with names of a built-in level
Bugfix: Make sure that all user-defined levels are displayed in "Specific domain level configuration"
Bugfix: Ignore non-existing levels for a specific domain
Bugfix: Cascade top document's level to subframes with no explicitly assigned level. (workaround
for Github issue #133).
Do not display NBS notifactions when accessing 0.0.0.0 and :: (workaround
for Github issue #125)
Improve NBS description in the option/settings page.
Display level names in the pop up to improve usability.
Bugfix: Do not modify JS environment on level 0. Regression appeared in 0.5.
Bugfix: Display correctly NBS status at the current page (Github issue #114)
Rebranding step 1: change UI-facing icons
Set minimal pop up width so that the pop up is usable in Chrome (Github issue #112, Pagure issue
Chromium-based browsers: revise Battery API protection that should match the expectations of page
scripts (mimic Firefox behaviour).
Fixed typos in settings.
Add fingerprinting defenses based on Farbling developed by the Brave browser (improved or added
wrappers for Canvas, Audio, Web GL, device memory, hardware concurrency, enumerateDevices). Most
wrappers support provisioning of white lies that differ between origins and sessions (the
fingeprint is different across origins and across sessions).
We claimed to generate white image fake Canvas value but instead generated fully transparent black image. We now generate the white image as it is more common in other anti-canvas fingerprinting tools (level 3).
toDataUrl() no longer destructs the original canvas.
We use NoScript Commons Library to simplify some tasks like cross-browser support.
More reliable early content script configuration.
CSP headers no longer prevents the extension from wrapping JS APIs in Firefox (Github issue #25)
Wrappers should be injected reliably before page scripts start to operate (Github issue #40)
We use NSCL to wrap APIs in iframes and workers
It is no longer possible to access unwrapped functions from iframes and workers (Pagure issue #2, Github issue #56)
Ignore trailing '.' in domain names when selecting appropriate custom level.
Do not freeze wrappers to prevent fingeprintability of the users of JShelter. We wrap the correct function
in the prototype chain instead.
navigator.getGamepads() wrapper added
navigator.activeVRDisplays() and navigator.xr wrappers added
Limit precision of high resolution timestamps in the Event, VRFrameData, and Gamepad interface to be consistent
with Date and Performance precision
Wrap Beacon API
Bugfix: inject content scripts to all iframes
Fix exception throwing in the code generator dealing with Firefox bug 1267027
NBS improvements for Chromium-based browsers: block a host after detecting the first suspicious HTTP request from the public to the private network.
Add wrapper of MediaDevices.prototype.enumerateDevices
Fix missing Date properties
Fix Geolocation overflows appearing near poles
Improve handling of domain names (URLs):
Handle IPv4 addresses used as hostnames correctly
Do not treat TLD specially and allow specifying wrapping levels for TLDs
Fix handling of two-letters 2-nd level domains
Fix exception throwing in the code generator dealing with Firefox bug 1267027
Bugfix: Do not try to redefine undefined objects. The exceptions thrown in injected code used to
prevent application of all the wrapping code.
Add an option to clear window.name with each page reload.
Rewrite the NBS for Chromium-based browsers with custom DNS cache build with resolved data available in onResponseStartedListener()
Fix the amount of saved data through pop-up (for a specific domain), it is much harder to reach
Re-introduced Geolocation API wrapping (several settings available).
Bugfix: Set up domain-specific levels from storage correctly
Wrap PerformanceEntry instead of performance.getEntries*() - prevents a known leak of precise
time stamps in Chromium-based browsers.
Add note on the effectivity of time randomization
Firefox fix background and content scripts synchronization, use correct naming (improves speed)
Time wrappers in Firefox affected by the Fiefox CSP bug should work better. However, the precise timers are not wrapped, see also #25.
NBS message for Chromium-based browsers reworded.
Improve compatibility with Chromium based browsers
Major code rewrite - make the code more modular, remove duplications
Network Boundary Shield prevents web pages to use the browser as a proxy between local network and the public Internet. See the Force Point report for an example of the attack. The protection encapsulates the WebRequest API, so it captures all outgoing requests.
Allow multiple custom levels
Do not modify DOM of displayed pages (the modifications were detectable by the page scripts and may
reveal that the user is running JShelter)
Canvas fingerprinting: originally, only toDataURL was blocked. The extension now blocks CanvasRenderingContext2D.prototype.getImageData and HTMLCanvasElement.prototype.toBlob.
Block additionaly methods to get performance data.
Unfortunately, we do not migrate old settings as the levels were redesigned and several features
were removed. We expect to migrate previous settings in the future.