Skip to main content

WebAPI Manager: limit website access to Web APIs

WebAPI Manager is an open source extension for the Firefox and Google Chrome web browser that you may use to limit website access to Web APIs.

Support for new features and technologies exploded in recent years. Browser makers like Mozilla or Google integrate APIs into their web browsers that websites may use.

While there is no doubt that many of the features are beneficial as it gives sites new capabilities, some features may also get abused or are not really used by a lot of sites out there.

The author of WebAPI Manager identified two core issues when it comes to the integration of new functionality in web browsers: that some features are rarely if ever used, and that features are used for non-user-serving purposes such as fingerprinting or attacking them outright.

WebAPI Manager

WebAPI Manager is a browser extension for Google Chrome and Mozilla Firefox that gives you control over WebAPI use in the browser. While I have not tried the extension in browsers like Opera or Vivaldi, it is likely that it will work in those browsers as well.

The extension won't change support for any APIs by default. It is up to you to limit access to APIs, and you have two main options to do that.

You may enable a suggested configuration. WebAPI Manager includes three which differ regarding aggressiveness. The lite configuration should have minimal impact on the functionality of sites while conservative and aggressive settings may impact functionality more but improve security and privacy more as well.

The extension marks all features of the selected configuration so that you know what gets blocked when you apply it.

You don't need to use suggested configurations. You may create a custom configuration and have it applied automatically to sites you visit. This requires a more in-depth knowledge of APIs and technologies, however.

The extension lists general information on the configuration page and links to specifications so that you may read up on a certain feature before deciding whether to block it or not.

The list of APIs and features that you may block is extensive. To name a few: Service Workers, WebGL 2.0, Canvas Element, Scalable Vector Graphics, Battery Status API, Ambient Light Sensor, Vibration API, Encrypted Media Extensions, WebVR, Web Audio API, Payment Request API, Beacon, Push API, or WebRTC 1.0.

WebAPI Manager may block functionality on matching domains using host-matching regular expressions, or across all domains using the default blocking rule.

The extension includes two features right now that reveal the APIs and functions a website uses to you. It adds an icon to the browser's toolbar on installation that displays the number of sites and whether APIs are blocked. This works similarly to how content blockers such as NoScript or uBlock Origin highlight activity.

 

A click on the icon lists each host and the number of APIs blocked. The interface has an "allow all" button to whitelist a domain and an option to configure blocking rules for the rule in question.

The second option that you have to find out which features sites use is to enable passive logging. This logs all functionality so that you may access it and see which APIs sites use. You may use the information to customize rules for specific sites and export all logged information for all tabs at once.

WebAPI Manager supports rule importing and exporting, useful if you want to use the extensions on multiple devices or across different browsers.

The future

Of all the planned features that may land at one point or another, it is support for rule sets that I'm most excited about. The system would work similar to how content blockers load rule lists right now. This would make it easier for users who want to improve their privacy and security without investing a lot of time into researching Web APIs and customizing access for sites based on trial and error.

Closing Words

WebAPI Manager is an excellent companion extension for content blockers. While some content blockers may block some features as well or may be configured to do so, the bulk is not touched if scripts run on the root domain.

You can use it to block features that many sites abuse, Canvas and Beacon comes to mind, or use an aggressive configuration and customize it only if sites you visit regularly require certain functionality to run properly. (via gHacks

 

This article was first seen on ComTek's "TekBits" Technology News

HOME