Modern websites heavily rely on JavaScript (JS) to implement legitimate functionality as well as privacy-invasive advertising and tracking. Browser extensions such as NoScript block any script not loaded by a trusted list of endpoints, thus hoping to block privacy-invasive scripts while avoiding breaking legitimate website functionality. In this paper, we investigate whether blocking JS on the web is feasible without breaking legitimate functionality. To this end, we conduct a large-scale measurement study of JS blocking on 100K websites. We evaluate the effectiveness of different JS blocking strategies in tracking prevention and functionality breakage. Our evaluation relies on quantitative analysis of network requests and resource loads as well as manual qualitative analysis of visual breakage. First, we show that while blocking all scripts is quite effective at reducing tracking, it significantly degrades functionality on approximately two-thirds of the tested websites. Second, we show that selective blocking of a subset of scripts based on a curated list achieves a better tradeoff. However, there remain approximately 15% `mixed` scripts, which essentially merge tracking and legitimate functionality and thus cannot be blocked without causing website breakage. Finally, we show that fine-grained blocking of a subset of JS methods, instead of scripts, reduces major breakage by 3.7$\times$ while providing the same level of tracking prevention. Our work highlights the promise and open challenges in fine-grained JS blocking for tracking prevention without breaking the web.

翻译：现代网站严重依赖JavaScript（JS）来实现合法功能，同时也用于隐私侵犯的广告和跟踪。诸如NoScript之类的浏览器扩展会拦截所有未由可信端点列表加载的脚本，以期在避免破坏合法网站功能的同时阻止隐私侵犯脚本。本文研究了在不破坏合法功能的前提下，在网页上拦截JS是否可行。为此，我们对10万个网站进行了大规模JS拦截测量研究。我们评估了不同JS拦截策略在跟踪预防和功能破坏方面的有效性。评估依赖于对网络请求和资源加载的定量分析，以及对视觉破坏的手动定性分析。首先，我们发现虽然拦截所有脚本在减少跟踪方面相当有效，但大约三分之二的测试网站功能显著退化。其次，基于精心策划的列表选择性拦截部分脚本可实现更好的权衡。然而，仍有约15%的“混合”脚本，它们本质上是将跟踪功能与合法功能融合在一起，因此拦截它们必然导致网站功能破坏。最后，我们发现细粒度地拦截部分JS方法（而非整个脚本）可将重大破坏减少3.7倍，同时提供同等水平的跟踪预防。我们的工作凸显了在不破坏网页的前提下进行细粒度JS拦截以预防跟踪的前景与未解决的挑战。