Verifying Web Browser Extensions’ Compliance with Private-Browsing Mode
Benjamin S. Lerner, Liam Elberty, Neal Poole, Shriram Krishnamurthi
European Symposium on Research in Computer Security, 2013
Modern web browsers implement a private browsing mode that is intended to leave behind no traces of a user’s browsing activity on their computer. This feature is in direct tension with support for extensions, which can silently void this guarantee.
We have retrofitted type annotations to Firefox’s APIs and to a sample of actively used Firefox extensions. We used the type system to verify several extensions as safe, find actual bugs in several others (most of which have been confirmed by their authors), and find dubious behavior in the rest. Firefox 20, released April 2, 2013, implements a finer-grained private browsing mode; we sketch both the new challenges in this implementation and how our approach can handle them.
These papers may differ in formatting from the versions that appear in print. They are made available only to support the rapid dissemination of results; the printed versions, not these, should be considered definitive. The copyrights belong to their respective owners.