Abstract
While JavaScript established itself as a cornerstone of the modern web, it also constitutes a major tracking and security vector, thus raising critical privacy and security concerns. In this context, some browser extensions propose to systematically block scripts reported by crowdsourced trackers lists. However, this solution heavily depends on the quality of these built-in lists, which may be deprecated or incomplete, thus exposing the visitor to unknown trackers. In this article, we explore a different strategy by investigating the benefits of disabling JavaScript in the browser. More specifically, by adopting such a strict policy, we aim to quantify the JavaScript addiction of web elements composing a web page through the observation of web breakages. As there is no standard mechanism for detecting such breakages, we introduce a framework to inspect several page features when blocking JavaScript, that we deploy to analyze 6,384 pages, including landing and internal web pages. We discover that 43% of web pages are not strictly dependent on JavaScript and that more than 67% of pages are likely to be usable as long as the visitor only requires the content from the main section of the page, for which the user most likely reached the page, while reducing the number of tracking requests by 85% on average. Finally, we discuss the viability of currently browsing the web without JavaScript and detail multiple incentives for websites to be kept usable without JavaScript.
- [1] 2019. Semantic UI Documentation. Retrieved March 17, 2021 from from https://semantic-ui.com/introduction/getting-started.html.Google Scholar
- [2] 2021. About Tailwind Elements. Retrieved August 10, 2021 from https://tailwind-elements.com/.Google Scholar
- [3] 2021. NuxtJS Homepage. Retrieved April 26, 2021 from https://nuxtjs.org/.Google Scholar
- [4] 2021. Svelte Website. Retrieved April 26, 2021 from https://svelte.dev/.Google Scholar
- [5] . 2014. The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, , , and (Eds.). ACM, 674–689.
DOI: Google ScholarDigital Library
- [6] . 2021. Mozilla Support—Firefox’s Protection against Fingerprinting. Retrieved May 5, 2021 from https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting.Google Scholar
- [7] . 2021. Mozilla Support—Enhanced Tracking Protection in Firefox for Desktop. Retrieved May 5, 2021 from https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop.Google Scholar
- [8] . 2020. HTTP Archive Web Almanac—JavaScript Usage. Retrieved April 25, 2021 from https://almanac.httparchive.org/en/2020/javascript#how-much-javascript-do-we-use.Google Scholar
- [9] . 2020. HTTP Archive Web Almanac—
data-* Attributes. Retrieved March 18, 2021 from https://almanac.httparchive.org/en/2020/markup#data--attributes.Google Scholar - [10] . 2022. HTTP Archive Web Almanac—How much JavaScript do we Load? Retrieved May 23, 2022 from https://almanac.httparchive.org/en/2021/javascript#how-much-javascript-do-we-load.Google Scholar
- [11] . 2022. HTTP Archive Web Almanac—Markup. Retrieved May 30, 2022 from https://almanac.httparchive.org/en/2021/markup#main.Google Scholar
- [12] . 2020. On landing and internal web pages: The strange case of Jekyll and Hyde in web performance measurement. In Proceedings of the ACM Internet Measurement Conference (IMC’20). ACM, 680–695.
DOI: Google ScholarDigital Library
- [13] . 2021. Hispar List—Archive. (2021). Retrieved May 5, 2021 from https://hispar.cs.duke.edu/archive/hispar-list-21-01-28.zip.Google Scholar
- [14] . 2021. To block or not to block: Accelerating mobile web pages on-the-fly through JavaScript classification.
arXiv:2106.13764. Retrieved from https://arxiv.org/abs/2106.13764.Google Scholar - [15] . 2020. JSCleaner: De-cluttering mobile webpages through JavaScript cleanup. In Proceedings of the World Wide Web Conference (WWW’20), , , , and (Eds.). ACM / IW3C2, 763–773.
DOI: Google ScholarDigital Library
- [16] . 2021. Detecting filter list evasion with event-loop-turn granularity JavaScript signatures. In Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
Cross Ref
- [17] . 2019. How JavaScript Rendering Works. Retrieved May 6, 2021 from https://www.deepcrawl.com/knowledge/ebooks/javascript-seo-guide/how-javascript-rendering-works/.Google Scholar
- [18] . 2018. The web’s sixth sense: A study of scripts accessing smartphone sensors. In Proceedings of the 25th ACM Conference on Computer and Communication Security (CCS’18). ACM.
DOI: Google ScholarDigital Library
- [19] . 2020. PERCIVAL: Making in-browser perceptual Ad blocking practical with deep learning. In Proceedings of the USENIX Annual Technical Conference (USENIX ATC’20). USENIX Association, 387–400. Google Scholar
- [20] . 2018. AngularJS Website. Retrieved April 26, 2021 from https://angularjs.org/.Google Scholar
- [21] . 2019. Making JavaScript and Google Search Work Together. (2019). Retrieved May 6, 2021 from https://web.dev/javascript-and-google-search-io-2019/.Google Scholar
- [22] . 2019. web.dev—Without JavaScript. Retrieved April 26, 2021 from https://web.dev/without-javascript/.Google Scholar
- [23] . 2015. An automated approach for complementing Ad blockers’ blacklists. Proc. Priv. Enhanc. Technol. 2015, 2 (2015), 282–298.
DOI: Google ScholarCross Ref
- [24] . 2017. Going Beyond Google: Are Search Engines Ready for JavaScript Crawling & Indexing? Retrieved May 6, 2021 from https://moz.com/blog/search-engines-ready-for-javascript-crawling.Google Scholar
- [25] . 2014. Understanding Web Pages Better. (2014). Retrieved April 26, 2021 from https://webmasters.googleblog.com/2014/05/understanding-web-pages-better.html.Google Scholar
- [26] . 2020. uMatrix Repository. Retrieved May 10, 2021 from https://github.com/gorhill/uMatrix.Google Scholar
- [27] . 2021. uBlock Origin Repository. Retrieved May 10, 2021 from https://github.com/gorhill/uBlock/.Google Scholar
- [28] . 2021. Mozilla Hacks—Introducing State Partitioning. Retrieved May 5, 2021 from https://hacks.mozilla.org/2021/02/introducing-state-partitioning/.Google Scholar
- [29] 2021. React Website. (2021). Retrieved April 26, 2021 from https://reactjs.org/.Google Scholar
- [30] . 2021. Fingerprinting the fingerprinters: Learning to detect browser fingerprinting behaviors. In Proceedings of the 42nd IEEE Symposium on Security and Privacy (SP’21). IEEE, 1143–1161.
DOI: Google ScholarCross Ref
- [31] . 2022. Measuring the privacy vs. compatibility trade-off in preventing third-party stateful tracking. In Proceedings of the ACM Web Conference (WWW’22), , , , , , , and (Eds.). ACM, 710–720.
DOI: Google ScholarDigital Library
- [32] . 2021. Awakening the web’s sleeper agents: Misusing service workers for privacy leakage. In Proceedings of the 28th Annual Network and Distributed System Security Symposium (NDSS’21). The Internet Society.Google Scholar
Cross Ref
- [33] . 2020. Google Developers—Gaining Security and Privacy by Partitioning the Cache. Retrieved May 5, 2021 from https://developers.google.com/web/updates/2020/10/http-cache-partitioning.Google Scholar
- [34] . 2021. GitHub Ranking—Repositories Ranking. Retrieved August 11, 2021 from https://gitstar-ranking.com/repositories.Google Scholar
- [35] . 2020. Browser fingerprinting: A survey. ACM Trans. Web 14, 2 (2020), 8:1–8:33.
DOI: Google ScholarDigital Library
- [36] . 2016. Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints. In Proceedings of the 37th IEEE Symposium on Security and Privacy (S&P’16).Google Scholar
Cross Ref
- [37] . 2021. Fingerprinting in style: Detecting browser extensions via injected style sheets. In Proceedings of the 30th USENIX Security Symposium.Google Scholar
- [38] . 2020. Who touched my browser fingerprint?: A large-scale measurement study and classification of fingerprint dynamics. In Proceedings of the ACM Internet Measurement Conference (IMC’20). ACM, 370–385.
DOI: Google ScholarDigital Library
- [39] . 2017. Practical keystroke timing attacks in sandboxed JavaScript. In Proceedings of the European Symposium on Research in Computer Security (ESORICS’17), , , and (Eds.). Springer International Publishing, Cham, 191–209. Google Scholar
Cross Ref
- [40] . 2021. NoScript Repository. Retrieved May 10, 2021 from https://github.com/hackademix/noscript.Google Scholar
- [41] . 2019. A large-scale study on the risks of the HTML5 WebAPI for mobile sensor-based attacks. In Proceedings of the 30th International World Wide Web Conference (WWW’19). ACM.Google Scholar
Digital Library
- [42] . 2021. Mozilla Developer Network—HTML Elements Reference. Retrieved March 17, 2021 from https://developer.mozilla.org/en-US/docs/Web/HTML/Element.Google Scholar
- [43] . 2021. Mozilla Developer Network—<img>: The Image Embed Element—Loading Attribute. Retrieved March 17, 2021 from https://developer.mozilla.org/en-US/docs/Web/HTML/Element/img#attr-loading.Google Scholar
- [44] . 2021. webRequest.onBeforeRequest—Additional Objects. Retrieved May 18, 2021 from https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest/onBeforeRequest#additional_objects.Google Scholar
- [45] . 2021. Next.js Homepage. Retrieved April 26, 2021 from https://nextjs.org/.Google Scholar
- [46] . 2021. OpenDNS—Domain Tagging. Retrieved April 30, 2021 from https://community.opendns.com/domaintagging/.Google Scholar
- [47] . 2021. OpenDNS—Domain Tagging—Categories. Retrieved April 30, 2021 from https://community.opendns.com/domaintagging/categories.Google Scholar
- [48] . 2021. Usage Statistics of JavaScript Libraries for Websites. Retrieved August 11, 2021 from https://w3techs.com/technologies/overview/javascript_library.Google Scholar
- [49] . 2021. Unveiling web fingerprinting in the wild via code mining and machine learning. Proc. Priv. Enhanc. Technol. 2021, 1 (2021), 43–63.
DOI: Google ScholarCross Ref
- [50] . 2021. SoK: In search of lost time: A review of JavaScript timers in browsers. In Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P’21). IEEE, 472–486.
DOI: Google ScholarCross Ref
- [51] . 2020. What’s Brave Done For My Privacy Lately? Episode #3: Fingerprint Randomization. Retrieved May 37, 2021 from https://brave.com/privacy-updates-3/.Google Scholar
- [52] . 2020. mozilla-central—In RFP Mode, Turn Canvas Image Extraction into a Random ‘Poison Pill’ for Fingerprinters. Retrieved May 27, 2021 from https://hg.mozilla.org/mozilla-central/rev/ab2a75db3ebe.Google Scholar
- [53] . 2021. Prime+Probe 1, JavaScript 0: Overcoming browser-based side-channel defenses. In Proceedings of the 30th USENIX Security Symposium (USENIX Security’21), and (Eds.). USENIX Association, 2863–2880. Google Scholar
- [54] . 2020. Filter list generation for underserved regions. In Proceedings of the World Wide Web Conference (WWW’20), , , , and (Eds.). ACM / IW3C2, 1682–1692.
DOI: Google ScholarDigital Library
- [55] . 2020. Who filters the filters: Understanding the growth, usefulness and efficiency of crowdsourced Ad Blocking. Proc. ACM Meas. Anal. Comput. Syst. 4, 2 (2020), 26:1–26:24.
DOI: Google ScholarDigital Library
- [56] . 2021. Tales of favicons and caches: Persistent tracking in modern browsers. In Proceedings of the 28th Annual Network and Distributed System Security Symposium (NDSS’21). The Internet Society. Google Scholar
Cross Ref
- [57] . 2021. Bootstrap Documentation—Accordion. Retrieved October 25, 2021 from https://getbootstrap.com/docs/5.1/components/accordion/.Google Scholar
- [58] . 2021. Bootstrap Documentation—Components. Retrieved October 25, 2021 from https://getbootstrap.com/docs/5.1/getting-started/introduction/#components.Google Scholar
- [59] . 2021. Bootstrap Documentation—Dropdowns. Retrieved October 25, 2021 from https://getbootstrap.com/docs/5.1/components/dropdowns/.Google Scholar
- [60] . 2021. Bootstrap Homepage. Retrieved April 25, 2021 from https://getbootstrap.com/.Google Scholar
- [61] . 2021. Bootstrap JavaScript. Retrieved April 26, 2021 from https://getbootstrap.com/docs/5.1/getting-started/javascript/.Google Scholar
- [62] . 2018. A bestiary of blocking: The motivations and modes behind website unavailability. In Proceedings of the 8th USENIX Workshop on Free and Open Communications on the Internet (FOCI’18), and (Eds.). USENIX Association. Google Scholar
- [63] . 2020. On the battery consumption of mobile browsers.
arXiv:2009.03740 . Retrieved from https://arxiv.org/abs/2009.03740.Google Scholar - [64] . 1999. HTML4 Specification—Specifying Anchors and Links. Retrieved March 18, 2021 from https://www.w3.org/TR/html401/struct/links.html#h-12.1.3.Google Scholar
- [65] . 2021. ARIA Specification—Design Patterns and Widgets. Retrieved March 17, 2021 from https://w3c.github.io/aria-practices/#aria_ex.Google Scholar
- [66] . 2021. HTML Specification—Custom Data Attribute. Retrieved March 17, 2021 from https://html.spec.whatwg.org/#custom-data-attribute.Google Scholar
- [67] . 2021. HTML Specification—Implicit Submission. Retrieved March 18, 2021 from https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#implicit-submission.Google Scholar
- [68] . 2021. HTML Specification—Scroll to the Fragment Identifier. Retrieved March 18, 2021 from https://html.spec.whatwg.org/multipage/browsing-the-web.html#scroll-to-the-fragment-identifier.Google Scholar
- [69] . 2020. A comparative measurement study of web tracking on mobile and desktop environments. Proc. Priv. Enhanc. Technol. 2020, 2 (2020), 24–44.
DOI: Google ScholarCross Ref
- [70] . 2021. Foundation Documentation. Retrieved March 17, 2021 from https://get.foundation/sites/docs/.Google Scholar
- [71] . 2021. Vue.js Website. Retrieved April 26, 2021 from https://vuejs.org/.Google Scholar
- [72] . 2018. Measuring and disrupting anti-adblockers using differential execution analysis. In Proceedings of the 25th Annual Network and Distributed System Security Symposium (NDSS’18). The Internet Society. Google Scholar
Cross Ref
Index Terms
Breaking Bad: Quantifying the Addiction of Web Elements to JavaScript
Recommendations
JSRehab: Weaning Common Web Interface Components from JavaScript Addiction
WWW '22: Companion Proceedings of the Web Conference 2022Leveraging JavaScript (JS) for User Interface (UI) interactivity has been the norm on the web for many years. Yet, using JS increases bandwidth and battery consumption as scripts need to be downloaded and processed by the browser. Plus, client-side JS ...
An Analysis of URLs Generated from JavaScript Code
ICIS '12: Proceedings of the 2012 IEEE/ACIS 11th International Conference on Computer and Information ScienceSearch engines use a crawling system to recursively download web pages, analyze HTML pages, and generate a new list of URLs to crawl. As web pages are becoming more dynamic than before, JavaScript is heavily used, which poses a great challenge for the ...






Comments