FilterPlus: A real-time content filtering extension for Google Chrome
FFilterPlus: A real-time content filtering extension forGoogle Chrome
Bofin Babu, Mohan KumarDepartment of Computer ScienceBITS-Pilani Hyderabad Campus { h2013313085, h2013313083 } @hyderabad.bits-pilani.ac.in Abstract
Content filtering in web browsers is a tediousprocess for most of the people, because of severalreasons. By blocking JavaScript, Cookies andPopups, end users can ensure maximum protec-tion from browser based attacks and vulnerabili-ties. In order to accomplish this, we built an ex-tension for Google Chrome which allows users tohave easy control over what they wish to recievcefroma web page. We also build this extension insuch a way that it remembers the choice of op-tions made by the user for every URLs, therebyletting user’s create rules for websites they visit.
Extensions are programs written to enhance thefunctionality of web browsers. They provide de-velopers a platform to build browser based ap-plications and helps users to improve their webbrowsing experience. In Google Chrome webbrowser, extension are quite popular [1]. Amongthe installed extensions in Chrome, a good per-centage of share goes to Popup blockers[2] andJavaScript blockers. Although many security ex-tentions are avilable online for users, most of Figure 1: Web based attacks blocked per dayduring the years 2011, 2012 and 2013 by NortonInternet Security software[4].them lack the essential features to let user’s con-trol what they want to see from a web page.Chrome, being the most popular web browser[3], has added several security features in the re-cent years. Yet, majority of the users are stillunder the risk of attacks through it. Duringthe past years the numbers of web based attacksshowed a huge increase [4].Since browsers are the primary source of in-ternet traffic, the above statistics leads us to aconclusion that, if can implement an effectivemethos of blocking web contents, we can reducea considerable amount of attacks happening allover the world. This was the primary motiva-tion of our project, to develop a security exten-sion which would allow users to choose what theywant receive from a url.1 a r X i v : . [ c s . CR ] J u l n this project, we develop a content filteringextension named ”FilterPlus” targeting Chromebrowser. We included features for controllingcookies, images, popups JavaScript and notifi-cations in our extensions. We also made in sucha way that the blocking rule created for a partic-ular website will be remembered by the browserapplies automatically whenever the user revisitsthe same. Google chrome extensions are basically built us-ing HTML,CSS and JavaScript. The essentialpart of every Chrome extension is a manifest.jsonfile. This manifest file is nothing more thana JSON-formatted table of contents, containingproperties of the extention. At a high level, itis used to specify Chrome what the extension isgoing to do, and what permissions it requires inorder to do those things.The first line of the manifest file specifiesthe manifest version. Since the manifest ver-sion 1 was depreciated in Chrome 18, develop-ers are currently recommended to specify ’man-ifest version’:2 in the manifest file. The linefollows includes three parameters:“name”, “de-scription” and “version”, which specifies thename, description and current version of the ex-tension. The next parameter is “permissions”,which basically use chrome.permissions
API torequest declared optional permissions at runtime. The next line follows “browser action”,which alows browser actions to put icons in themain Google Chrome toolbar, to the right of theaddress bar. Normally it contains “default icon”parameter which specifies the icon to be dis-played in the browser and a “default popup”parameter which specifies the popup window, which will be displayed when the user clicks theicon.The html file corresponding to “defult popup”contains HTML code for the popup. In most ofthe cases it will also link to a CSS(CascadingStyle Sheets) file which describes the look andformatting of the HTML document. For ex-tension that perform some specific tasks ratherthan merely displaying a markup content, willalso need to be linked with a JavaScript fileto perform the required task. This JavaScriptwill let the developer process the web contentand to make API calls to the browser coreand/or to some external applications - depend-ing on the purpose. A recent standard adoptedby Google Chrome strictly probibite the addi-tion of JavaScript file inside the HTML docu-ments[5], there by making the need for a sep-arate JavaScript file liked to the popup HTMLdocument.
Extensions are platform dependent. An exten-sion written for Chrome will not work on otherbrowsers, say Firefox or Safari, unless it is beingrewritten to support them. Special care has to betaken when developing Chrome extensions sinceChrome incorporates many security features andimplements privilege escalation. Three securitycriteria included on Chrome are Safe Browsing,Sand Boxing and Auto-updates. Safe brows-ing feature gives warning message to the userwhen he/she is trying to visits a potentially ma-licious webpage. The Sand Box adds an addi-tional layer of protection to the browser by pro-tecting against malicious web pages that try toleave programs on the user’s computer, monitorhis/her web activities or steal any form of private2igure 2: Extensions are divided into three com-ponents: content scripts, an extension core anda native binary [7]information from the hard drive [6]. The Auto-update feature enables the browser to check forupdates periodically to make sure that it’s allways up to date to ensure better protection.Chrome extensions are also divided into threecomponents, each with progressively more privi-leges and less exposure to malicious web content.The content script has direct access to theDOM(Document Object Model) of a web pageand is exposed to potentially malicious input.The extension core, which has the bulk of the ex-tension privileges, interact with the web contentvia XMLHTTPRequest and content script. Na-tive Binary is an optional part of extensions thatneeds arbitrary file access on the host machine.By separating these three components Chromeachieves a great amount of security from vulner-abilities affecting through its extensions.
We adapted four design criteria and secure us-ability principles from [8] for the design of thisextension.1.
Provide branding, prevent spoofing :Every extension uploaded into the Chromeweb Store is assigned a unique key pair. Theextension’s ID is based on a hash of the public key, thereby providing authenticity.We’ve also made a logo and a tile – “Filter-Plus” to our extension so that it will providea unique look and feel.2.
Effectiveness for na¨ıve and off-guardusers : This extension is easy to understandand has a simple GUI, such that even a userwith no prior technical knowledge could useit effectively.3.
Minimize/avoid user work : This exten-sion only requires minimum user effort. Theuser does not need to edit the settings of thebrowser to make desired changes. He/Shecan also apply the same rule, without theneed for repetition whenever a previouslydefined URL is revisited.4.
Security must be usable to be used :Users may disable the security mechanismswhich are hard to use or annoying, and itwon’t affect the other functions of the ex-tension.
Keeping in mind the desired design considera-tions and principles, we developed the extension- “FilterPlus”. The HTML,CSS and JavaScriptsource files are properly liked and loaded. It isthen packed, uploaded and made available forthe public.The “Cookies” module has three options inthe drop down menu, namely ”Allow”, ”Sessiononly” and ”Block”. The ”Allow” option enablescookies and the ”Block” option disables the samefor the current URL. The ”session only” option3igure 3: User interface of FilterPlus allows cookies to be set only for the current ses-sion and they will be removed when a new sessionstarts. Disabling cookies will prevent sites fromstoring confidential user information in the hostcomputer.The “Images” module allows user to block im-ages in the current URL, if they want. Web sitescontaining obscene images can be made safe forwork(SFW) using this feature.The “JavaScript” module also has two option,either to enable or disable JavaScript in the cur-rent web page. Through this features, users canmake sure that no JavaScript based attacks orig-inates from the current web page affects theirsystem.The “Popups” module allows an option toblock Popups in the current tab. Since most ofthe Adwares make use of popups, disabling themwill protect the users from Adwares.The “Notifications” has three options, eitherto allow, block or ask-and-allow browser notifi-cation that are displayed in the desktop. Noti-fication can be often annoying or may containslinks to third party advertisements. This can beeffectively disabled using this feature.
The focus of this project was to develop areal-time content filtering extension for GoogleChrome. As proposed, we have developedan extension which can filter images, popups,JavaScript codes, cookies and notifications basedon user preferences. This extension can ensureuser, a reasonable amount of control over whatthey see, using a simple GUI.4