skip to main content
research-article

Breaking Bad: Quantifying the Addiction of Web Elements to JavaScript

Published:23 February 2023Publication History
Skip Abstract Section

Abstract

While JavaScript established itself as a cornerstone of the modern web, it also constitutes a major tracking and security vector, thus raising critical privacy and security concerns. In this context, some browser extensions propose to systematically block scripts reported by crowdsourced trackers lists. However, this solution heavily depends on the quality of these built-in lists, which may be deprecated or incomplete, thus exposing the visitor to unknown trackers. In this article, we explore a different strategy by investigating the benefits of disabling JavaScript in the browser. More specifically, by adopting such a strict policy, we aim to quantify the JavaScript addiction of web elements composing a web page through the observation of web breakages. As there is no standard mechanism for detecting such breakages, we introduce a framework to inspect several page features when blocking JavaScript, that we deploy to analyze 6,384 pages, including landing and internal web pages. We discover that 43% of web pages are not strictly dependent on JavaScript and that more than 67% of pages are likely to be usable as long as the visitor only requires the content from the main section of the page, for which the user most likely reached the page, while reducing the number of tracking requests by 85% on average. Finally, we discuss the viability of currently browsing the web without JavaScript and detail multiple incentives for websites to be kept usable without JavaScript.

REFERENCES

  1. [1] 2019. Semantic UI Documentation. Retrieved March 17, 2021 from from https://semantic-ui.com/introduction/getting-started.html.Google ScholarGoogle Scholar
  2. [2] 2021. About Tailwind Elements. Retrieved August 10, 2021 from https://tailwind-elements.com/.Google ScholarGoogle Scholar
  3. [3] 2021. NuxtJS Homepage. Retrieved April 26, 2021 from https://nuxtjs.org/.Google ScholarGoogle Scholar
  4. [4] 2021. Svelte Website. Retrieved April 26, 2021 from https://svelte.dev/.Google ScholarGoogle Scholar
  5. [5] Acar Gunes, Eubank Christian, Englehardt Steven, Juárez Marc, Narayanan Arvind, and Díaz Claudia. 2014. The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, Ahn Gail-Joon, Yung Moti, and Li Ninghui (Eds.). ACM, 674689. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. [6] AliceWyman, Branton Wesley, Joni, tomrittervg, and user1632815. 2021. Mozilla Support—Firefox’s Protection against Fingerprinting. Retrieved May 5, 2021 from https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting.Google ScholarGoogle Scholar
  7. [7] AliceWyman, Rodaro Michele, Joni, Ghelman Marcelo, Gardenhire Lamont, Jeff, Lazar Angela, PGGWriter, [email protected], and Fabi. 2021. Mozilla Support—Enhanced Tracking Protection in Firefox for Desktop. Retrieved May 5, 2021 from https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop.Google ScholarGoogle Scholar
  8. [8] Almanac Web and contributors. 2020. HTTP Archive Web Almanac—JavaScript Usage. Retrieved April 25, 2021 from https://almanac.httparchive.org/en/2020/javascript#how-much-javascript-do-we-use.Google ScholarGoogle Scholar
  9. [9] Almanac Web and contributors. 2020. HTTP Archive Web Almanac—data-* Attributes. Retrieved March 18, 2021 from https://almanac.httparchive.org/en/2020/markup#data--attributes.Google ScholarGoogle Scholar
  10. [10] Almanac Web and contributors. 2022. HTTP Archive Web Almanac—How much JavaScript do we Load? Retrieved May 23, 2022 from https://almanac.httparchive.org/en/2021/javascript#how-much-javascript-do-we-load.Google ScholarGoogle Scholar
  11. [11] Almanac Web and contributors. 2022. HTTP Archive Web Almanac—Markup. Retrieved May 30, 2022 from https://almanac.httparchive.org/en/2021/markup#main.Google ScholarGoogle Scholar
  12. [12] Aqeel Waqar, Chandrasekaran Balakrishnan, Feldmann Anja, and Maggs Bruce M.. 2020. On landing and internal web pages: The strange case of Jekyll and Hyde in web performance measurement. In Proceedings of the ACM Internet Measurement Conference (IMC’20). ACM, 680695. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. [13] Aqeel Waqar, Chandrasekaran Balakrishnan, Maggs Bruce, and Feldmann Anja. 2021. Hispar List—Archive. (2021). Retrieved May 5, 2021 from https://hispar.cs.duke.edu/archive/hispar-list-21-01-28.zip.Google ScholarGoogle Scholar
  14. [14] Chaqfeh Moumena, Haseeb Muhammad, Hashmi Waleed, Inshuti Patrick, Ramesh Manesha, Varvello Matteo, Zaffar Fareed, Subramanian Lakshmi, and Zaki Yasir. 2021. To block or not to block: Accelerating mobile web pages on-the-fly through JavaScript classification. arXiv:2106.13764. Retrieved from https://arxiv.org/abs/2106.13764.Google ScholarGoogle Scholar
  15. [15] Chaqfeh Moumena, Zaki Yasir, Hu Jacinta, and Subramanian Lakshmi. 2020. JSCleaner: De-cluttering mobile webpages through JavaScript cleanup. In Proceedings of the World Wide Web Conference (WWW’20), Huang Yennun, King Irwin, Liu Tie-Yan, and Steen Maarten van (Eds.). ACM / IW3C2, 763773. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. [16] Chen Quan, Snyder Peter, Livshits Benjamin, and Kapravelos Alexandros. 2021. Detecting filter list evasion with event-loop-turn granularity JavaScript signatures. In Proceedings of the IEEE Symposium on Security and Privacy.Google ScholarGoogle ScholarCross RefCross Ref
  17. [17] Costello Rachel. 2019. How JavaScript Rendering Works. Retrieved May 6, 2021 from https://www.deepcrawl.com/knowledge/ebooks/javascript-seo-guide/how-javascript-rendering-works/.Google ScholarGoogle Scholar
  18. [18] Das Anupam, Acar Gunes, Borisov Nikita, and Pradeep Amogh. 2018. The web’s sixth sense: A study of scripts accessing smartphone sensors. In Proceedings of the 25th ACM Conference on Computer and Communication Security (CCS’18). ACM. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. [19] Din Zainul Abi, Tigas Panagiotis, King Samuel T., and Livshits Benjamin. 2020. PERCIVAL: Making in-browser perceptual Ad blocking practical with deep learning. In Proceedings of the USENIX Annual Technical Conference (USENIX ATC’20). USENIX Association, 387400. Google ScholarGoogle Scholar
  20. [20] Google. 2018. AngularJS Website. Retrieved April 26, 2021 from https://angularjs.org/.Google ScholarGoogle Scholar
  21. [21] Google. 2019. Making JavaScript and Google Search Work Together. (2019). Retrieved May 6, 2021 from https://web.dev/javascript-and-google-search-io-2019/.Google ScholarGoogle Scholar
  22. [22] Google. 2019. web.dev—Without JavaScript. Retrieved April 26, 2021 from https://web.dev/without-javascript/.Google ScholarGoogle Scholar
  23. [23] Gugelmann David, Happe Markus, Ager Bernhard, and Lenders Vincent. 2015. An automated approach for complementing Ad blockers’ blacklists. Proc. Priv. Enhanc. Technol. 2015, 2 (2015), 282298. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  24. [24] Góralewicz Bartosz. 2017. Going Beyond Google: Are Search Engines Ready for JavaScript Crawling & Indexing? Retrieved May 6, 2021 from https://moz.com/blog/search-engines-ready-for-javascript-crawling.Google ScholarGoogle Scholar
  25. [25] Hendriks Erik, Xu Michael, and Nagayama Kazushi. 2014. Understanding Web Pages Better. (2014). Retrieved April 26, 2021 from https://webmasters.googleblog.com/2014/05/understanding-web-pages-better.html.Google ScholarGoogle Scholar
  26. [26] Hill Raymond. 2020. uMatrix Repository. Retrieved May 10, 2021 from https://github.com/gorhill/uMatrix.Google ScholarGoogle Scholar
  27. [27] Hill Raymond. 2021. uBlock Origin Repository. Retrieved May 10, 2021 from https://github.com/gorhill/uBlock/.Google ScholarGoogle Scholar
  28. [28] Hofmann Johann and Huang Tim. 2021. Mozilla Hacks—Introducing State Partitioning. Retrieved May 5, 2021 from https://hacks.mozilla.org/2021/02/introducing-state-partitioning/.Google ScholarGoogle Scholar
  29. [29] Inc. Facebook2021. React Website. (2021). Retrieved April 26, 2021 from https://reactjs.org/.Google ScholarGoogle Scholar
  30. [30] Iqbal Umar, Englehardt Steven, and Shafiq Zubair. 2021. Fingerprinting the fingerprinters: Learning to detect browser fingerprinting behaviors. In Proceedings of the 42nd IEEE Symposium on Security and Privacy (SP’21). IEEE, 11431161. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  31. [31] Jueckstock Jordan, Snyder Peter, Sarker Shaown, Kapravelos Alexandros, and Livshits Benjamin. 2022. Measuring the privacy vs. compatibility trade-off in preventing third-party stateful tracking. In Proceedings of the ACM Web Conference (WWW’22), Laforest Frédérique, Troncy Raphaël, Simperl Elena, Agarwal Deepak, Gionis Aristides, Herman Ivan, and Médini Lionel (Eds.). ACM, 710720. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. [32] Karami Soroush, Ilia Panagiotis, and Polakis Jason. 2021. Awakening the web’s sleeper agents: Misusing service workers for privacy leakage. In Proceedings of the 28th Annual Network and Distributed System Security Symposium (NDSS’21). The Internet Society.Google ScholarGoogle ScholarCross RefCross Ref
  33. [33] Kitamura Eiji. 2020. Google Developers—Gaining Security and Privacy by Partitioning the Cache. Retrieved May 5, 2021 from https://developers.google.com/web/updates/2020/10/http-cache-partitioning.Google ScholarGoogle Scholar
  34. [34] Kokubun Takashi. 2021. GitHub Ranking—Repositories Ranking. Retrieved August 11, 2021 from https://gitstar-ranking.com/repositories.Google ScholarGoogle Scholar
  35. [35] Laperdrix Pierre, Bielova Nataliia, Baudry Benoit, and Avoine Gildas. 2020. Browser fingerprinting: A survey. ACM Trans. Web 14, 2 (2020), 8:1–8:33. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. [36] Laperdrix Pierre, Rudametkin Walter, and Baudry Benoit. 2016. Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints. In Proceedings of the 37th IEEE Symposium on Security and Privacy (S&P’16).Google ScholarGoogle ScholarCross RefCross Ref
  37. [37] Laperdrix Pierre, Starov Oleksii, Chen Quan, Kapravelos Alexandros, and Nikiforakis Nick. 2021. Fingerprinting in style: Detecting browser extensions via injected style sheets. In Proceedings of the 30th USENIX Security Symposium.Google ScholarGoogle Scholar
  38. [38] Li Song and Cao Yinzhi. 2020. Who touched my browser fingerprint?: A large-scale measurement study and classification of fingerprint dynamics. In Proceedings of the ACM Internet Measurement Conference (IMC’20). ACM, 370385. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. [39] Lipp Moritz, Gruss Daniel, Schwarz Michael, Bidner David, Maurice Clémentine, and Mangard Stefan. 2017. Practical keystroke timing attacks in sandboxed JavaScript. In Proceedings of the European Symposium on Research in Computer Security (ESORICS’17), Foley Simon N., Gollmann Dieter, and Snekkenes Einar (Eds.). Springer International Publishing, Cham, 191209. Google ScholarGoogle ScholarCross RefCross Ref
  40. [40] Maone Giorgio. 2021. NoScript Repository. Retrieved May 10, 2021 from https://github.com/hackademix/noscript.Google ScholarGoogle Scholar
  41. [41] Marcantoni Francesco, Diamantaris Michalis, Ioannidis Sotiris, and Polakis Jason. 2019. A large-scale study on the risks of the HTML5 WebAPI for mobile sensor-based attacks. In Proceedings of the 30th International World Wide Web Conference (WWW’19). ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. [42] Mozilla and contributors individual. 2021. Mozilla Developer Network—HTML Elements Reference. Retrieved March 17, 2021 from https://developer.mozilla.org/en-US/docs/Web/HTML/Element.Google ScholarGoogle Scholar
  43. [43] Mozilla and contributors individual. 2021. Mozilla Developer Network—<img>: The Image Embed Element—Loading Attribute. Retrieved March 17, 2021 from https://developer.mozilla.org/en-US/docs/Web/HTML/Element/img#attr-loading.Google ScholarGoogle Scholar
  44. [44] Mozilla and contributors individual. 2021. webRequest.onBeforeRequest—Additional Objects. Retrieved May 18, 2021 from https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest/onBeforeRequest#additional_objects.Google ScholarGoogle Scholar
  45. [45] Neutkens Tim, Kanezawa Naoyuki, Rauch Guillermo, Susiripala Arunoda, Kovanen Tony, Zajdband Dan, and contributors. 2021. Next.js Homepage. Retrieved April 26, 2021 from https://nextjs.org/.Google ScholarGoogle Scholar
  46. [46] OpenDNS. 2021. OpenDNS—Domain Tagging. Retrieved April 30, 2021 from https://community.opendns.com/domaintagging/.Google ScholarGoogle Scholar
  47. [47] OpenDNS. 2021. OpenDNS—Domain Tagging—Categories. Retrieved April 30, 2021 from https://community.opendns.com/domaintagging/categories.Google ScholarGoogle Scholar
  48. [48] Q-Success. 2021. Usage Statistics of JavaScript Libraries for Websites. Retrieved August 11, 2021 from https://w3techs.com/technologies/overview/javascript_library.Google ScholarGoogle Scholar
  49. [49] Rizzo Valentino, Traverso Stefano, and Mellia Marco. 2021. Unveiling web fingerprinting in the wild via code mining and machine learning. Proc. Priv. Enhanc. Technol. 2021, 1 (2021), 4363. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  50. [50] Rokicki Thomas, Maurice Clémentine, and Laperdrix Pierre. 2021. SoK: In search of lost time: A review of JavaScript timers in browsers. In Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P’21). IEEE, 472486. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  51. [51] Sampson Jonathan. 2020. What’s Brave Done For My Privacy Lately? Episode #3: Fingerprint Randomization. Retrieved May 37, 2021 from https://brave.com/privacy-updates-3/.Google ScholarGoogle Scholar
  52. [52] sanketh. 2020. mozilla-central—In RFP Mode, Turn Canvas Image Extraction into a Random ‘Poison Pill’ for Fingerprinters. Retrieved May 27, 2021 from https://hg.mozilla.org/mozilla-central/rev/ab2a75db3ebe.Google ScholarGoogle Scholar
  53. [53] Shusterman Anatoly, Agarwal Ayush, O’Connell Sioli, Genkin Daniel, Oren Yossi, and Yarom Yuval. 2021. Prime+Probe 1, JavaScript 0: Overcoming browser-based side-channel defenses. In Proceedings of the 30th USENIX Security Symposium (USENIX Security’21), Bailey Michael and Greenstadt Rachel (Eds.). USENIX Association, 28632880. Google ScholarGoogle Scholar
  54. [54] Sjösten Alexander, Snyder Peter, Pastor Antonio, Papadopoulos Panagiotis, and Livshits Benjamin. 2020. Filter list generation for underserved regions. In Proceedings of the World Wide Web Conference (WWW’20), Huang Yennun, King Irwin, Liu Tie-Yan, and Steen Maarten van (Eds.). ACM / IW3C2, 16821692. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. [55] Snyder Peter, Vastel Antoine, and Livshits Ben. 2020. Who filters the filters: Understanding the growth, usefulness and efficiency of crowdsourced Ad Blocking. Proc. ACM Meas. Anal. Comput. Syst. 4, 2 (2020), 26:1–26:24. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. [56] Solomos Konstantinos, Kristoff John, Kanich Chris, and Polakis Jason. 2021. Tales of favicons and caches: Persistent tracking in modern browsers. In Proceedings of the 28th Annual Network and Distributed System Security Symposium (NDSS’21). The Internet Society. Google ScholarGoogle ScholarCross RefCross Ref
  57. [57] team Bootstrap and contributors. 2021. Bootstrap Documentation—Accordion. Retrieved October 25, 2021 from https://getbootstrap.com/docs/5.1/components/accordion/.Google ScholarGoogle Scholar
  58. [58] team Bootstrap and contributors. 2021. Bootstrap Documentation—Components. Retrieved October 25, 2021 from https://getbootstrap.com/docs/5.1/getting-started/introduction/#components.Google ScholarGoogle Scholar
  59. [59] team Bootstrap and contributors. 2021. Bootstrap Documentation—Dropdowns. Retrieved October 25, 2021 from https://getbootstrap.com/docs/5.1/components/dropdowns/.Google ScholarGoogle Scholar
  60. [60] team Bootstrap and contributors. 2021. Bootstrap Homepage. Retrieved April 25, 2021 from https://getbootstrap.com/.Google ScholarGoogle Scholar
  61. [61] team Bootstrap and contributors. 2021. Bootstrap JavaScript. Retrieved April 26, 2021 from https://getbootstrap.com/docs/5.1/getting-started/javascript/.Google ScholarGoogle Scholar
  62. [62] Tschantz Michael Carl, Afroz Sadia, Sajid Shaarif, Qazi Shoaib Asif, Javed Mobin, and Paxson Vern. 2018. A bestiary of blocking: The motivations and modes behind website unavailability. In Proceedings of the 8th USENIX Workshop on Free and Open Communications on the Internet (FOCI’18), Gill Lex and Jansen Rob (Eds.). USENIX Association. Google ScholarGoogle Scholar
  63. [63] Varvello Matteo and Livshits Benjamin. 2020. On the battery consumption of mobile browsers. arXiv:2009.03740. Retrieved from https://arxiv.org/abs/2009.03740.Google ScholarGoogle Scholar
  64. [64] W3C. 1999. HTML4 Specification—Specifying Anchors and Links. Retrieved March 18, 2021 from https://www.w3.org/TR/html401/struct/links.html#h-12.1.3.Google ScholarGoogle Scholar
  65. [65] W3C. 2021. ARIA Specification—Design Patterns and Widgets. Retrieved March 17, 2021 from https://w3c.github.io/aria-practices/#aria_ex.Google ScholarGoogle Scholar
  66. [66] WHATWG. 2021. HTML Specification—Custom Data Attribute. Retrieved March 17, 2021 from https://html.spec.whatwg.org/#custom-data-attribute.Google ScholarGoogle Scholar
  67. [67] WHATWG. 2021. HTML Specification—Implicit Submission. Retrieved March 18, 2021 from https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#implicit-submission.Google ScholarGoogle Scholar
  68. [68] WHATWG. 2021. HTML Specification—Scroll to the Fragment Identifier. Retrieved March 18, 2021 from https://html.spec.whatwg.org/multipage/browsing-the-web.html#scroll-to-the-fragment-identifier.Google ScholarGoogle Scholar
  69. [69] Yang Zhiju and Yue Chuan. 2020. A comparative measurement study of web tracking on mobile and desktop environments. Proc. Priv. Enhanc. Technol. 2020, 2 (2020), 2444. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  70. [70] Yetinauts Foundation. 2021. Foundation Documentation. Retrieved March 17, 2021 from https://get.foundation/sites/docs/.Google ScholarGoogle Scholar
  71. [71] You Evan and contributors. 2021. Vue.js Website. Retrieved April 26, 2021 from https://vuejs.org/.Google ScholarGoogle Scholar
  72. [72] Zhu Shitong, Hu Xunchao, Qian Zhiyun, Shafiq Zubair, and Yin Heng. 2018. Measuring and disrupting anti-adblockers using differential execution analysis. In Proceedings of the 25th Annual Network and Distributed System Security Symposium (NDSS’18). The Internet Society. Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. Breaking Bad: Quantifying the Addiction of Web Elements to JavaScript

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM Transactions on Internet Technology
        ACM Transactions on Internet Technology  Volume 23, Issue 1
        February 2023
        564 pages
        ISSN:1533-5399
        EISSN:1557-6051
        DOI:10.1145/3584863
        • Editor:
        • Ling Liu
        Issue’s Table of Contents

        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 23 February 2023
        • Online AM: 12 January 2023
        • Accepted: 16 November 2022
        • Revised: 26 September 2022
        • Received: 21 January 2022
        Published in toit Volume 23, Issue 1

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • research-article
      • Article Metrics

        • Downloads (Last 12 months)181
        • Downloads (Last 6 weeks)15

        Other Metrics

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Full Text

      View this article in Full Text.

      View Full Text

      HTML Format

      View this article in HTML Format .

      View HTML Format
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!